The attackers used the IcedID malware as one of their initial access vectors.
Quantum ransomware, first discovered in August 2021, has been used in fast network attacks. The attackers used the IcedID malware as one of their initial access vectors, which deploys Cobalt Strike for remote access and leads to data theft and encryption with Quantum.
The DFIR Report analyzed Quantum ransomware attacks. The attack lasted only 3 hours and 44 minutes from the initial infection to the completion of device encryption. The attack used the IcedID malware as initial access to the victim’s system. Presumably, the malware was installed by attackers via a phishing email containing an attached ISO file.
IcedID is a modular banking Trojan that has been used over the past five years primarily to deploy stage 2 payloads, downloaders, and ransomware. The combination of IcedID and ISO archives is often used in cyberattacks because such files can bypass email security solutions.
Two hours after the initial infection, the attackers injected Cobalt Strike into the C:\Windows\SysWOW64\cmd.exe process to avoid detection. At this point, the criminals stole Windows domain credentials by dumping LSASS memory and spread through the network. The hackers then proceeded to establish RDP connections to other servers in the environment.
Once the criminals had a grasp of the domain structure, they prepared to deploy the ransomware by copying the ransomware (named ttsel.exe) to each system via the C$ share. The attackers eventually used WMI and PsExec to deploy the Quantum ransomware payload and encrypt devices.