The dominance displayed by ransomware operators has left security analysts sleepless, having to deal with the daunting task of creating effective detection strategies to mitigate against potential attacks. However, network defense does not have to be challenging, at least not how it is viewed and made possible by the Anvilogic Forge team.
Through research, the team has created detections focusing on threat actor tactics, techniques, and procedures (TTPs); these detections are possible via Anvilogic‘s threat scenarios. You can align detections to identify signs of malicious behavior sequentially by dissecting attack patterns and attacker objectives. Understanding the steps an attacker takes to compromise an environment can help you create a roadmap to stop the attacker in their tracks before they reach the finish line.
This post will demonstrate the ability to use advanced sequence-based detections to reliably identify malicious threats, using Quantum ransomware as an example. While we will focus on Quantum ransomware, the detection is not limited to this gang, as any threat actor group can use these attack patterns. Cybereason and DFIR report have shared two case studies of Quantum ransomware operations that provide valuable insights into attacker behaviors and objectives during the group’s attack campaigns.
Quantum Ransomware Background
The Quantum ransomware strain was discovered as early as July 2021. The ransomware group has gone through various rebranding's since 2020, reinventing themselves as Astro Locker and Xing Locker, and the latest Quantum Locker. The gang is not entirely new; it is just a rebranding of Mount Locker.
The ransomware group's data leak TOR site is named "Quantum Blog." As of April 2022, there are 20 victims identified – 7 being new. The attackers are quick, and their impatience is also reflected in their ransom demands, as they only allow the victim 72 hours to respond; otherwise, they leak the stolen data. From observing case studies of Quantum ransomware breaches, we can see how attackers operate and compromise a network. In both case studies offered by Cybereason and DFIR, the campaigns from initial access were swift, with Time-to-Ransom (TTR) measured in just under four hours, following initial access, leaving only a tiny detection window for defenders.
Case Study 1: Cybereason
The banking trojan, IcedID, was the initial infection vector for both case studies; the reliance on IcedID from this ransomware group dates back to Xing Locker as a TTP. Following the execution of IcedID’s DLL payload, the group’s reconnaissance activity was observed gathering & collecting system information to send to the attackers. Two hours following the IcedID execution, the attackers utilized Cobalt Strike to move into a more interactive phase of the attack, continuing to gather system information, however, this time from an AdFind bat script. With the knowledge of system and network information obtained, the attackers set the stage to move laterally through the network by gathering credentials from lsass.exe and connecting to other hosts on the network with the remote desktop protocol (RDP). Using WMI and PsExec to stage the ransomware binary through the network, they could carry out the final deployment stage.
The Quantum ransomware gang initiated a comprehensive attack campaign in a swift period of time. The activity detailed by Cybereason involved many popular singular detections from blue team defenders – alerting on a malicious file downloaded to disk, execution of Living Off The Land Binary rundll32, and common reconnaissance commands for the initiation of “net.” Individually the detections could be noisy since network administrators typically execute the “net,” which is commonly used for everyday troubleshooting of network discovery. Even AdFind could be used legitimately. Triage analysts could easily miss the identifiers triggering the attack, and the singular detections would not capture the full story of the attack. A threat scenario created based on Cybereason’s report was capable of detecting the end-to-end narrative as details of the attack are transcribed into the threat scenario below. This sequence-based detection chains together single threat identifiers within a time constraint to create a high fidelity rule.
Case Study 2: DFIR Report
The second case study, provided by DFIR Report, shares a similar but more detailed view of a Quantum ransomware attack. As with Cybereason, the attackers favored IcedID to facilitate their initial access shortly after launching discovery commands to gain knowledge of the victim’s system and network. A new point of detail is the use of scheduled tasks to establish persistence and process injection to initiate Cobalt Strike. The activity following is eerily similar to Cybereason’s attack pattern as batch files with AdFind had been executed with credential access and lateral movement activity setting up ransomware deployment.
As with the previous case study, the attack path can be mapped strategically, placing threat identifiers that detect each individual action into a threat scenario to identify the full attack.
Scenario-based Detection & Threat Actor TTPs
Detection focused on tactics, techniques, and procedures continues to be vital in defending against threat adversaries. From reviewing the research shared by Cybereason and DFIR Report, Quantum ransomware executed a nearly identical attack with only minor nuances added from DFIR Report. The attack demonstrates the methodical procedural-based approach taken by threat actors to achieve their objectives. Also explored in the Anvilogic Forge’s Conti leak’s post (The Conti Leaks emphasize the need for detection based on threat behaviors), threat actors don’t stray too far from proven attack techniques. The attack path shown by Quantum ransomware operators follows an attack chain of initial access with IcedID, initiating discovery to gather victim network layout, reinitiate discovery as necessary, gather credentials for lateral movement, and lateral movement initiated with RDP to set up for ransomware deployment. The attack path is simple and effective; however, understanding this path enables a sequenced-based detection to be created to identify an attack by Quantum ransomware operators that has been proven from research by the security community.
To learn more on the latest trending threats, sign-up for the Anvilogic Threat Report to receive a weekly round-up of news and events relevant to cybersecurity professionals.
The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections to defend themselves in an ever-changing threat landscape.
“We’re a team of people devoted to a safer internet. We work tirelessly into the night, tracking and responding to invisible threats. We follow dangerous paths and light the way forward with the glow of the Forge to make the web less dark.”
- Cybereason vs. Quantum Locker Ransomware: https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware
- The DFIR Report
- Quantum Ransomware: https://thedfirreport.com/2022/04/25/quantum-ransomware/
- IcedID to XingLocker Ransomware in 24 hours: https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/