What Is Quantum Ransomware?
Quantum (AKA Quantum Locker) is a very destructive strain of ransomware first discovered in July 2021 and is a sub-variant of MountLocker ransomware alongside AstroLocker and XingLocker. Although less active than its sibling strains, Quantum’s ransom expectations match those of its parent strain MountLocker, ranging from $150,000 to multi-million dollar demands. Quantum attacks evolve rapidly, often leaving victims only hours between initial infection and file encryption. They are often opportunistically executed during off-hours such as evenings or weekends, when IT admins are less actively defending a network.
The Quantum group includes members of Conti, a prolific cybercrime group that recently shuttered its ransomware operations and data-leak site. Quantum operators maintain an active TOR ransom negotiation site and a data-leak site named “Quantum Blog,” where they threaten to publish stolen data if the ransom is not paid within seventy-two hours. Although Quantum ransomware attacks do not always exfiltrate the victim’s data before encrypting files, their ransom notes threaten to publish stolen data—even when none was stolen.
In 2022, Quantum compromised a network of 657 healthcare providers, stealing the personal data, social security numbers, health insurance information, and medical records of more than 1.9 million people.
How Quantum Works
Quantum is delivered via email phishing campaigns that deploy first-stage malware, typically IcedID or Bumblebee loader, which imports the primary Quantum payload and additional tools onto the compromised system. From there, attackers conduct fast-paced network reconnaissance, especially seeking remote desktop (RDP) access to other network hosts. Attackers manually copy the Quantum encryption binary ttsel.exe to each host’s shared folder if access to adjacent systems is gained.
The early stages of a Quantum attack leverage toolkits such as Cobalt Strike Beacon, Rclone, the Ligolo tunneling tool, ProcDump, ADFind, and Local Security Authority Subsystem Service (Lsass.exe) for network recon and lateral movement, NPPSpy for stealing sensitive data, as well as living off the land (LOTL) tools such as WMI, PsExec and PowerShell. Quantum attacks are mostly manual exploits by a human operator rather than using complex automated scripts or toolkits. One of Quantum’s more sophisticated techniques, “process hollowing,” starts a cmd.exe process and injects CobaltStrike into the process’s memory to evade detection. To operate covertly, Quantum also checks for processes associated with malware analysis, such as ProcMon, Wireshark, CND, and task manager, and stops their processes.
To facilitate the encryption process, Quantum checks for database service processes and stops them, thus removing their access restrictions to valuable database content and allowing Quantum to encrypt it. Quantum’s primary encryption process uses a .dll or .exe executable to encrypt files via a hybrid-cryptography scheme using ChaCha20 to symmetrically encrypt files and an RSA-2048 public key to encrypt the single ChaCha20 symmetric encryption key.
Signs of a Quantum Attack
Quantum uses targeted phishing attacks that typically deliver an ISO that, when opened, appears only to contain a single LNK file named document. When clicked, this LNK file loads a hidden IcedID DLL file which delivers Quantum and additional second-stage tools.
After encrypting files, Quantum adds a .quantum file extension and creates a ransom note named README_TO_DECRYPT.html which contains a unique ID associated with the victim. Quantum’s ransom note presses the victim to meet a seventy-two-hour deadline, threatening to leak stolen data. The ransom note also directs victims to a custom Quantum support chat to make payment and use the provided file decryptor tool.