What is Quantum Ransomware?

Published in

Magda On Cyber

8 min readApr 30, 2022

Ransomware is a type of malware that encrypts your files and makes them inaccessible until you pay a ransom. It’s typically spread through phishing emails or infected websites. Once it’s on your computer, it can encrypt your files and render them unusable. The only ways to regain access to your files is to pay the ransom and get the decryption key from the criminals, or recover your data and systems from your offline backup.

Ransomware attacks are costly and disruptive. They can cause significant financial damage to individuals and companies.

Malicious spam emails are one of the most common infection vectors for ransomware. These documents include booby-trapped PDF or Office files that can tricks your computer into executing dangerous software, which may then infect you with malware and force it offline until payment was made via Bitcoin ransom note sent directly to attacker’s email address!

There are many different types of ransomware out there, each with its own unique characteristics.

When did Ransomware start?

In 1989, the first ransomware appeared. The AIDS Info Disk or PC Cyborg Trojan was a software program that infected computers and displayed a ransom message. It was launched on a floppy disk in 1989, long before most of us had the chance to use a computer for the first time.

Infected disks were sent out to guests of the World Health Organization’s AIDS conference by a researcher named Joseph Popp, who developed the AIDS trojan. A leaflet that came with the diskettes warned that the software would “Adversely affect other program applications” and added, “you will owe compensation and possible damages to PC Cyborg Corporation, and your microcomputer will stop functioning normally.” The diskettes were labeled “AIDS Information — Introductory Diskettes,” and they contained information about HIV and AIDS.

Upon reaching 90, the software would hide folders and encrypt or lock the names of files on the C drive, as well as the number of times the machine had been started up before. Users would have to submit $189 to PC Cyborg Corporation, which was located at a PO box in Panama, in order to restore access. Because it employed basic symmetric encryption, the AIDS Trojan was quite straightforward to defeat, and tools to decode the data were readily accessible shortly after.

Since its debut in 1989, ransomware has become increasingly common and sophisticated, with new variants appearing regularly. In recent years, ransomware has been used to target both individual users and large organizations, including hospitals and government agencies.

Some of the most common variants include:

1. Cryptolocker: This type of ransomware used encryption to lock down your files and make them inaccessible. In order to regain access to your files, you’ll typically be asked to pay a ransom fee. The malware targeted machines running Microsoft Windows, and it is believed to have been originally released to the Internet on September 5, 2013, according to the FBI.

2. Locky: Locky is a ransomware virus that was first discovered in 2016.
It is distributed through email, with an attachment that is a Microsoft Word document that includes harmful macros in the text. A macro is a code fragment that is given a name and can be invoked by other code. Macros can be used to automate repetitive tasks or to perform complex operations with a few simple commands. For example, a macro could be used to instantly insert boilerplate text or code into a document. Or, a macro could automatically perform data entry tasks or generate reports from databases. Macros are written in programming languages such as C, C++, Objective C, Java, Visual Basic, and XML. Locky typically arrives as an attachment in an email masquerading as a legitimate document or invoice.

3. CryptoWall: It is a ransomware virus that employs a Trojan horse to encrypt data on infected computers and then demands that users pay a ransom in order to acquire a decryption key. Cryptowall has been identified in the wild.
In most cases, Cryptowall is introduced by a spam email, a malicious online advertisement, a hacked website, or another type of malware.

What is Double Extortion?

A rising ransomware method known as “double extortion,” also known as “pay-now-or-get-breached,” works by having the attackers first exfiltrate enormous amounts of confidential information from the victim’s computer before encrypting the victim’s files. If the victim does not pay, cyber criminals threaten to release the data.

This type of ransomware is particularly insidious because it gives cybercriminals two opportunities to profit from a single attack.

What is Triple Extortion?

It is an expansion of the double extortion assault, which is known as the triple extortion attack. While the specific tactics used by hackers may differ, they would often target the clients of the victim in order to demand a ransom or put pressure on victims to pay.

In the below example, if cyber-criminals would use the data breach threat, it becomes a Triple Extortion.

Kaseya Attack 2021 is a ransomware attack that was expected to hit businesses of Kaseya itself. Just before the Fourth of July weekend in 2021, hackers launched an attack on the Kaseya IT company in the United States, holding more than 1,000 organizations hostage. On July 2, the ransomware was distributed by a malicious patch sent through Kaseya’s server, and as a consequence, thousands of systems at hundreds of enterprises had their data encrypted.

When the REvil organization launched a malicious patch carrying a payload known as “Sodinokibi,” it immediately began encrypting servers and shared files on the affected computers. In contrast to the SolarWinds supply chain assault, Kaseya’s update server was hacked, but the company’s infrastructure does not seem to have been harmed in this instance. The computer code that was used in the Kaseya attack was written in such a manner that the virus avoided computers that were running in Russian or closely comparable dialects. This was a recurring theme in the Darkside ransomware attack on Colonial Pipeline, and it lends credence to suspicions that a Russian-sponsored gang is behind the attack.

So, What is Quantum Ransomware?

The Quantum ransomware, a strain that was first found in August 2021, has been seen to carry out swift attacks, giving victims little time to respond to the threat.

Threat actors are using the IcedID malware as one of their first access routes, which installs Cobalt Strike for remote access and leads to data theft and encryption using Quantum Locker as a result of the use of Quantum Locker.

The IcedID Trojan is currently being distributed via steganography, in which the data is encrypted and encoded with the content of a genuine PNG picture to disguise its true nature. Steganography is the practice of hiding a secret message within an ordinary message. The hidden message can be in any form, including text, image, or audio.

The main IcedID module with the standard PE header, it is executed by a customized loader that makes use of a custom headers structure. MalwareBytes has a good detailed overview here.

Approximately two hours after the initial intrusion, Cobalt Strike was installed in the victim’s environment, enabling the attackers to begin ‘hands-on keyboard’ actions on the computer. The velocity at which the attackers were able to take advantage of a compromised system is amazing. And, this kind of ransomware is becoming more common.

When the cyber criminals discovered the victim company’s active directory structure, they started conducting network reconnaissance, which included identifying each host in the environment and the active directory structure of the victim organization. Cobalt Strike was also utilized by the attackers to capture credentials and put them through their paces for remote WMI discovery.

After gaining access to a target server’s remote desktop protocol (RDP) credentials, the adversary attempted to install the Cobalt Strike Beacon on the target server. They then used RDP to connect to more computers in the environment and devise a scheme for distributing the Quantum ransomware to each of the hosts in the system. The infection was remotely run through WMI and PsExec, which were both included in the malware package.

The ransomware encryptor attaches the .quantum file suffix to encrypted file names and dropping ransom notes with the README TO DECRYPT.html extension.

This was the beginning of the rebranding as Quantum.

For the tech lovers, please do check this fantastic detailed analysis on The DFIR Report.

Ransomware is evolving quickly because cybercriminals are finding new and innovative ways to exploit users and hold their data hostage. This rapid growth can be largely attributed to the increasing popularity of ransomware-as-a-service (RaaS), which allows anyone with minimal technical knowledge to launch a ransomware attack. In addition, the advent of cryptocurrencies like Bitcoin has made it easier for cybercriminals to receive payments from victims without having to worry about getting caught.

Nonetheless, there are measures you can take to protect yourself from ransomware attacks. Some tips include: updating your software regularly, creating back-ups of your data, and being careful about where you download files from.

Ransomware is a serious threat that can cause significant financial damage. If you’re not prepared, you could easily fall victim to an attack. The best way to protect yourself is to have a comprehensive cybersecurity plan in place, with incident response specifically crafted for ransomware attacks. You should also back up your data regularly, test it and store it offline.
If you’re ever attacked, avoid paying the ransom! There’s no guarantee that you’ll get your files back even if you do pay.

Follow Magda on Twitter: https://twitter.com/m49D4ch3lly