With a focus on users rather than infrastructure, Quantum ransomware gang executes an attack in mere hours.
“Usually, other gangs are targeting infrastructure while Quantum is keener to target users,” Stefano Maccaglia, the EMEA Incident Response Lead at the cybersecurity company NetWitness, told Cybernews.
Quantum has been making the headlines, often due to the speed of its attacks. According to the DFIR report, Quantum’s domain-wide attack turned out to be one of the fastest ransomware incidents observed. Entering the network by compromising the user endpoint with an IcedID payload inside an ISO image, malicious actors deployed the ransomware in less than 4 hours.
Additionally, the Symantec Threat Hunter Team found that the group, together with Conti and MountLocker, is linked to the newly developed Bumblebee malware loader created to access vulnerable systems.
The same ransomware gang was linked to the data breach concerning Professional Finance Company Inc. (PFC), which has recently released a list of 657 healthcare organizations that have been affected by a data breach. As the CEO of threat prevention company AdvIntel, Vitali Kremez, states, the attack was linked to a Conti/Quantum sub-group. Although the range of victims is not fully known, this could have been one of the biggest healthcare data breaches that happened this year.
We talked to Stefano Maccaglia to learn more about how Quantum is different from other ransomware gangs and what lies ahead for them.
You’ve had experience with Quantum in the past. Could you elaborate on that and explain how the quantum gang operates?
While managing incident response for NetWitness, which is a big name in the IR [incident response] market, we were engaged in several ransomware cases in the last 6 months. Quantum ransomware gang was behind some of them. The main aspect of their attacks is the speed of the attack itself and the type of tools that these cyber criminals use. These types of attacks usually involve data theft, and the reason why they can be convincing in forcing the victim to pay is because they are promising to leak the stolen data publicly, which creates reputational damage.
Upholding the reputation is important for them as well because if a victim pays and the ransomware gang leaks the data nevertheless, it will also impact the ransomware gang in terms of reputation. It would be very difficult for them to convince future victims to pay.
There are aspects of a Quantum attack that are specific to this attacker. One of them is the speed of the attack. In a ransomware case involving Conti, which is the most nefarious ransomware gang at the moment, we are talking about somewhere between at least 30 and 40 days from the early stage of the attack. Meanwhile, with Quantum, we are potentially discussing hours.
Did you notice any particular industries that are being attacked?
Yes, based on experience, Italian public agencies have recently been disrupted significantly. There are a couple of public examples, one of them being an association of retainers in Italy. Their data was stolen in about three days, the victim did not pay, and the Quantum group leaked the data into their website.
We investigated the attack in order to avoid any potential similar future attacks. If one attacker finalizes the attack, and you haven’t investigated the root cause, there is a high chance that another attacker, affiliate, or first-stage attacker will identify the same vulnerabilities and attack again.
Do you have an idea how big Quantum could be? That is, in terms of ransomware developers and affiliates.
One aspect that is remarkable about Quantum is that they don’t really have an affiliate program. Nowadays, the biggest names in the ransomware market operate in a sort of franchise model. They share tools, techniques, and teach one of these ransomware attackers how to attack. These ransomware attackers are the ones that operate the first stage of every attack in order to find breaches inside victims. Then, they sell them to the second level of that affiliate market which is basically the main ransomware gang.
Quantum is apparently not following this type of approach, instead, they are carrying out the attack themselves. So that is a little bit different than the other ransomware gangs that are leveraging a significant number of affiliates at the first stage.
I am expecting them to be less than 30 people.
Do you have any idea what geographical location they might be from?
Typically, when investigating this type of attacker, you can pinpoint the time they are usually active and the relative time zone they are operating in. From my perspective, they are operating in GMT+5 or GMT+4, which is typical in Eastern Europe.
Do you know what average ransom the group is usually asking for?
From my experience, while some of the interaction with the ransomware gang was not under my direct access, I can tell you that it was more or less about $200,000 per ransom. There were some cases where they asked for double this price, but based on interaction with some of the victims, in the end, the final price was between $200,000 and $150,000. That is, more or less, the target of their attacks, which is far cheaper compared to Conti or REvil, for example.
And what about their data leak sites? Do you know what they are?
Yes, they are writing a direct link to a Tor website where they leak the data. If I remember correctly, it contains data of about 20 victims. One of them is the Italian firm that I mentioned, but there are some others. From that perspective, we can’t really focus or highlight a specific type of victim because they span from energy to transportation, to public authorities, and others.
What do you think the future of Quantum is going to look like? Are they going to become as big as Conti or LockBit?
Obviously, they are a threat, but because of their structure, I’m not expecting them to evolve into a franchise. They might do it like the BitPaymer ransomware gang – at one point, they will probably split, especially if they are getting money out of these malicious attacks. In this case, when money comes in, some cyber criminals are happier to spend the money, while others have more entrepreneurial approaches. So I personally watched this in previous gangs like BitPaymer that split into two groups – one became BitPaymer, the other one Doppelpaymer. They started to become separate gangs leveraging on similar techniques and similar tools at the start, but they became two different groups.
If you look at Quantum, they had different names in the past, probably because they split or revamped their infrastructure in time. This is very common to cyber criminals because if you are collecting money and becoming big, you can’t do this alone for long. You need to start leveraging on support even from traditional criminal organizations because you are starting to collect attention and interest from Interpol, FBI, or others. So you are very careful in moving around because people are watching and trying to arrest you.
More from Cybernews:
Subscribe to our newsletter