Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Mount Locker. Show all posts

Quantum Ransomware was Detected in Several Network Attacks

 

Quantum ransomware, originally spotted in August 2021, has been found carrying out fast attacks which expand quickly, leaving defenders with little time to react. The assault began with the installation of an IcedID payload on a user endpoint, followed by the launch of Quantum ransomware 3 hours and 44 minutes later. It was identified by DFIR Report researchers as one of the fastest ransomware attacks it had ever seen. IcedID and ISO files have recently been utilized in other attacks, as these files are great for getting past email security safeguards.

According to Mandiant's M-Trends 2022 study, the threat actors began encrypting the victim's data only 29 hours after the first breach in a Ryuk ransomware assault in October 2020. The median global dwell period for ransomware is around 5 days. However, once the ransomware has been installed, the data of the victim may be encrypted in minutes. According to a recent analysis from Splunk, ransomware encrypts data in an average of 43 minutes, with the fastest encryption time being less than 6 minutes. 

The IcedID payload was stored within an ISO image which was presumably distributed by email in the examined Quantum ransomware outbreak. The malware was disguised as a "document" file, which was an LNK file designed to run a DLL (IcedID). Several discovery activities were run when the DLL was executed, utilizing various built-in Windows functions, and a scheduled job was constructed to ensure persistence. 

Cobalt Strike was installed into the victim system about two hours after the first breach, allowing the attackers to begin 'hands-on-keyboard' behavior. The fraudsters then began network reconnaissance, which included identifying each host in the environment as well as the active directory structure of the target organization. After releasing the memory of LSASS, the intruders were able to steal Windows domain credentials and spread laterally via the network. 

Cobalt Strike was also used by the attackers to collect credentials and test them for remote WMI detection tasks. The credentials enabled the adversary to log in to a target server through the remote desktop protocol (RDP), from which they attempted to distribute Cobalt Strike Beacon. The malicious actors then used RDP to access other servers in the system, where they prepared to deliver Quantum ransomware per each host. Threat actors eventually used WMI and PsExec to deliver the Quantum ransomware payload and encrypt devices via WMI and PsExec. 

The Quantum Locker ransomware is a rebranded version of the MountLocker malware, which first appeared in September 2020. Since then, the ransomware gang has gone by several names, including AstroLocker, XingLocker, and Quantum Locker, which is now in its current phase. 

While the DFIR report claims since no data exfiltration activity was detected in the assault they investigated, researchers claim the ransom demands for this gang fluctuate based on the victim, with some attacks seeking $150,000 in exchange for a decryptor. Quantum Locker, unlike its prior versions, is not a highly active operation, with only a few attacks per month.

Sophos Uncovered Connection Between Mount Locker and Astro Locker Team

 

Sophos published another report on a recently revealed association between the Mount Locker ransomware group and a new group, called "Astro Locker Team." Sophos as of late recognized ransomware targeting an organization’s unprotected machines that had all the hallmarks of Mount Locker ransomware. However, when they followed the link in the ransom note to the attacker's chat/support site, Sophos incident responders found themselves faced with a near-unknown group calling themselves "AstroLocker Team" or "Astro Locker Team." Astro Locker has all the earmarks of being a new ransomware family – however, appearances can be beguiling. 

When comparing the Astro Locker leak site with the Mount Locker leak site, investigators noticed that all five of the organizations listed on the Astro Locker site were likewise listed as victims on the Mount Locker site. Delving in further, the size of the information leaks on each of the five matched and shared some of the same links to the spilled information. Taking a gander at the matching links all the more intently, Sophos experts saw one final association: a portion of the spilled information linked on the Mount Locker site was being facilitated on the Astro Locker onion site: http[:]//anewset****.onion.  

“In recent incidents where Sophos experts investigated and neutralized an active Mount Locker attack, we noticed various techniques that suggest these attackers are not as sophisticated as other ransomware groups like Ryuk, REvil and DoppelPaymer,” said Peter Mackenzie, manager of Sophos’s Rapid Response team. “It is possible that the Mount Locker group wants to rebrand themselves to create a new and more professional image, or it could be an attempt to kickstart a true ransomware-as-a-service (RaaS) program. Regardless, if any organizations become a victim of Astro Locker in the future, they should investigate the TTPs of both Mount Locker and Astro Locker.” 

Mackenzie contended that Mount Locker could be utilizing the Astro name to pretend the group has a significant new associate for its new RaaS program, or it very well might be a legitimate deal intended to speed up its change to turning into a RaaS operation. 

“Branding is a powerful force for ransomware groups. Good branding can come from a single threat group being skilled at hitting high-value targets and avoiding detection — such as DoppelPaymer — or by running a successful RaaS network — like Sodinokibi or Egregor. Powerful branding with ransomware groups can strike fear in targets and lead to a higher likelihood of pay-outs,” he concluded.