By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Security Parrot - Cyber Security News, Insights and ReviewsSecurity Parrot - Cyber Security News, Insights and Reviews
Notification
Latest News
Android 14 will prevent malware from getting dangerous rights
February 12, 2023
Cybersecurity experts found malicious mods for Dota 2
February 12, 2023
The ESXiArgs encryptor has been updated. Data recovery is now impossible
February 12, 2023
Reddit has been hacked. Hackers stole source codes and internal data
February 12, 2023
The founder of the startup Webaverse was robbed of $ 4 million in cryptocurrency during a personal meeting
February 12, 2023
Aa
  • News
  • Tutorials
  • Security InsiderComing Soon
  • Expert InsightComing Soon
Reading: Quantum ransomware operators carried out the attack in almost 4 hours
Share
Security Parrot - Cyber Security News, Insights and ReviewsSecurity Parrot - Cyber Security News, Insights and Reviews
Aa
Search
  • News
  • Tutorials
  • Security InsiderComing Soon
  • Expert InsightComing Soon
Follow US
Security Parrot - Cyber Security News, Insights and Reviews > News > Quantum ransomware operators carried out the attack in almost 4 hours
ransomware
News

Quantum ransomware operators carried out the attack in almost 4 hours

Last updated: 2022/04/26 at 1:22 AM
Jim Koohyar Biniyaz Published April 26, 2022
Share
ransomware
SHARE

The attackers used the IcedID malware as one of their initial access vectors.

Quantum ransomware, first discovered in August 2021, has been used in fast network attacks. The attackers used the IcedID malware as one of their initial access vectors, which deploys Cobalt Strike for remote access and leads to data theft and encryption with Quantum.

The DFIR Report analyzed Quantum ransomware attacks. The attack lasted only 3 hours and 44 minutes from the initial infection to the completion of device encryption. The attack used the IcedID malware as initial access to the victim’s system. Presumably, the malware was installed by attackers via a phishing email containing an attached ISO file.

IcedID is a modular banking Trojan that has been used over the past five years primarily to deploy stage 2 payloads, downloaders, and ransomware. The combination of IcedID and ISO archives is often used in cyberattacks because such files can bypass email security solutions.

Two hours after the initial infection, the attackers injected Cobalt Strike into the C:\Windows\SysWOW64\cmd.exe process to avoid detection. At this point, the criminals stole Windows domain credentials by dumping LSASS memory and spread through the network. The hackers then proceeded to establish RDP connections to other servers in the environment.

Once the criminals had a grasp of the domain structure, they prepared to deploy the ransomware by copying the ransomware (named ttsel.exe) to each system via the C$ share. The attackers eventually used WMI and PsExec to deploy the Quantum ransomware payload and encrypt devices.

Weekly Updates For Our Loyal Readers!

Jim Koohyar Biniyaz April 26, 2022
Share this Article
Facebook Twitter Email Copy Link Print

Archives

  • February 2023
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020

You Might Also Like

News

Android 14 will prevent malware from getting dangerous rights

February 12, 2023
News

Cybersecurity experts found malicious mods for Dota 2

February 12, 2023
News

The ESXiArgs encryptor has been updated. Data recovery is now impossible

February 12, 2023
News

Reddit has been hacked. Hackers stole source codes and internal data

February 12, 2023

© 2022 Parrot Media Network. All Rights Reserved.

  • Home
  • Parrot Media Group
  • Privacy Policy
  • Terms and Conditions
Join Us!

Subscribe to our newsletter and never miss our latest news, podcasts etc..

Zero spam, Unsubscribe at any time.

Removed from reading list

Undo
Go to mobile version
Welcome Back!

Sign in to your account

Lost your password?