Quantum Ransomware: The Fastest Ransomware Out There

The DFIR Report has released findings on Quantum Ransomware, one of the fastest ransomware cases they have observed. Researchers with The DFIR Report observed an IcedID payload go from initial access to domain wide ransomware in under four hours. Once the initial IcedID payload was executed, approximately 2 hours after initial infection, the threat actors appeared to begin hands-on-keyboard activity. Cobalt Strike and RDP were used to move across the network before using WMI and PsExec to deploy the Quantum ransomware. This case exemplified an extremely short Time-to-Ransom (TTR) of 3 hours and 44 minutes. 

I have a pair of comments on this. The first is from Chris Olson, CEO of The Media Trust had this to say:

“The speed of Quantum ransomware is consistent with recent findings that network defenders only have 43 minutes on average to stop a ransomware attack once it begins. Ultimately this shows that it is futile to respond to ransomware and encryption attacks after the fact. To protect themselves, organizations must pivot to prevention over treatment.”

“Importantly, today’s businesses must work to gain a detailed understanding of the way that ransomware attackers compromise their systems, from the reconnaissance phase through to execution. It’s easy to overlook the importance of digital attack surfaces such as the Web and mobile devices – but this is exactly where many ransomware incidents begin.”

The second comment is from Saryu Nayyar, CEO and Founder of Gurucul:

“This is an example of an attacker using multiple known methods that are linked together but are easily able to evade static flow-chart based machine learning and artificial intelligence found in most traditional SIEMs and XDR systems today. The key for security teams is to assume that “compromise is inevitable” and take a stance in improving their operations to handle quickly spun-up malware variants and changes in layered attack techniques that shows a high degree of persistence by threat actors. Organizations need to incorporate behavior-based analytics, a plethora of machine learning models, and more importantly self-trained machine learning that does not require vendor updates to detect these new attack campaigns.”

Clearly threat actors are becoming more and more advanced in how they launch attack campaigns, and they attacks themselves are even more sophisticated than ever before. That means that your organizations ability to detect threat actors really need to be priority one.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: