This guest blog was contributed. by Dan Piazza, Technical Product Manager, Netwrix.
On April 25, The DFIR Report disclosed a Quantum ransomware attack that went from initial access to domain-wide ransomware in three hours and 44 minutes. The threat actors are using the IcedID malware as one of their initial access vectors, which deploys Cobalt Strike for remote access and leads to data theft and encryption using Quantum Locker.
At first, the Quantum Locker ransomware looks like a fairly standard attack. The initial attack surface is via phishing email, Cobalt Strike is then injected into Command Prompt to avoid detection, domain credentials are stolen via LSASS memory dump, and then those credentials are used to move laterally throughout the network via RDP and the administrative c$ share before executing the ransomware/encryption payload with WMI and PsExec. At that point files are encrypted (sometimes exfiltrated) and the attacker’s financial demands begin, ranging anywhere from hundreds of thousands to millions.
What stands out about the Quantum Locker ransomware is its efficiency. As reported by The DFIR Report, the attackers were able to achieve domain takeover and ransomware deployment in under four hours from the initial intrusion. This is quite fast for ransomware, leaving security teams little time to react especially if the attack were to occur on a night or weekend. While it seems the group behind this ransomware are only performing a few attacks a month, it’s unsettling to think an entire network can be breached and encrypted that fast.
With that said, organizations with the proper security measures and controls in place can still protect themselves from such efficient attacks. The most obvious hole to plug is users being vulnerable to phishing attacks, which can be achieved through training and education. However, the human factor will always eventually let its guard down, meaning organizations need other safeguards in place in the form of software.
Thinking about this specific attack chain, there’s some easy first steps that could be taken by organizations looking to harden themselves against such ransomware.
First, ensuring admins only use their credentials via privileged access management software that won’t leave credentials in memory is critical. Right behind that comes auditing all accounts in a network for shadow admins, which are accounts that may not at first seem privileged but through the right sequence of events can become admins (meaning even non-admin credentials dumped from memory could lead to domain compromise). Even beyond that, ensuring lateral movement vectors such as RDP and administrative c$ shares are locked down is a must, at least when they’re not actively needed by legitimate admins or software.