Quantum ransomware, a strain first discovered in August 2021, was seen carrying out speedy attacks that escalate quickly, leaving defenders little time to react. The threat actors are using the IcedID malware as one of their initial access vectors, which deploys Cobalt Strike for remote access and leads to data theft and encryption using Quantum Locker. The technical details of a Quantum ransomware attack were analyzed by security researchers at The DFIR Report, who says the attack lasted only 3 hours and 44 minutes from initial infection to the completion of encrypting devices.
Ransomware threat actors are streamlining their processes and reducing the amount of time from initial infection to the completion of encrypting devices. In the past, it could take days from initial access to the complete encryption of devices on a network. The threat actors behind Quantum ransomware have been able to complete their attacks in under four hours from the initial infection. This makes it all the more crucial to prevent these threat actors from gaining an initial foothold on the network in the first place, as the window to interrupt these incidents is narrowing. The most common way to gain initial access is through phishing campaigns, so it is important to train users to spot and report phishing emails, and to never enable Office document macros unless they are absolutely certain there is a business need. Beyond this, use Multi-Factor Authentication (MFA) on all forms of remote access like RDP and VPN, and have good endpoint monitoring with an EDR solution and either an internal SOC or a service like Binary Defense to triage the alerts. Having multiple backups and an incident response plan is also important, but in recent years, ransomware threat actors have been exfiltrating proprietary data and leveraging these to extort victims even if they are able to restore from backups.