In the time span of roughly one The Batman, hackers completed a full ransomware attack from access to encryption, according to in-depth details and screenshots from The DFIR Report. The target of the intrusion was not disclosed.
DFIR analysts revealed findings on their site demonstrating how the threat actors spread Quantum ransomware (and Quantum Locker ransomware) laterally throughout a domain in approximately 3 hours and 46 minutes – “one of the fastest ransomware cases we have observed,” said the group.
(Keep in mind, the “quantum” here is more of a rebrand of speedy ransomware and not a reference to, say, the physics of supercomputers.)
How it went down:
- A user was sent an email believed to be an “invoice” but instead contained a file known as an ISO archive, a disk image.
- When the user opened the ISO file, they saw what looked like a single document, which, in fact, was just a link to a hidden executable: IcedID malware. The ISO contained a DLL file (the IcedID malware) and a LNK shortcut to execute it.
- IcedID initiated discovery tasks through built-in Windows utilities like ipconfig and systeminfo before any “hands-on-keyboard activity” took place, according to the DFIR report. A scheduling feature made the attack persistent.
- Then, the hands-on-keyboard activity began. The attackers performed network reconnaissance, determining the environment’s many hosts and the organization’s Active Directory structure.
- The threat actors used the command-and-control framework Cobalt Strike to achieve remote access and proceeded to make Remote Desktop Protocol (RDP) connections to other servers in the environment.
- The executable moved from machine to machine throughout the network, delivering ransomware software and encrypting discs.
The attack was an example of Quantum ransomware, which was first spotted in August 2021. The speed of propagation, while noteworthy to two security experts who spoke to IT Brew, was not necessarily the most distressing feature of the break-in, according to John Burke, CTO at Nemertes Research, a Lusby, Maryland-based consulting firm. “This is pretty fast, but it’s nothing groundbreaking,” he said, adding that he was more struck by the malware’s direction than speed. Burke expressed concern at the idea that the target organization had network policies in place that allowed Microsoft’s Remote Desktop Protocol to connect laterally to other PCs.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The PCs did not appear to be configured to drop RDP traffic in general, which would be the right policy, said Burke, if the organization had no sanctioned RDP use cases.
“Why were those policies set up? And why were those kinds of communications allowed in the first place?” said Burke.
Speed, after all, isn’t the objective when you’re a cybercriminal looking to have access to valuable data for as long as possible, said Steve Thomas, co-founder and CEO of the Austin-based threat-intelligence provider HackNotice.
While considering the duration of the attack “super impressive,” Thomas doesn’t expect hackers to work at a lightning pace.
“I’m expecting them to actively be sitting in breached environments today trying to gain access to the maximum amount they can before they deploy ransomware, because they’re looking for the biggest payday,” Thomas told IT Brew.
What IT teams can do
Just because devices are sitting in offices next to each other on the same floor of the same building doesn’t mean that they should be able to connect at the network level, Burke said.
To avoid the lateral communication demonstrated in this attack, it is important to protect the access points to the network – even by using low-cost safeguards like VLANs, firewalls, or software-defined perimeter tools, according to Burke.
“If machines inside the network can’t talk to each other directly, most of the time, in most ways, it’s a lot harder for things like this to propagate,” said the Nemertes analyst.
While a variety of network safeguards and tools like log analysis can help flag anomalous activity, Thomas says that the best way to stop this kind of attack is to encourage awareness and to rely on people, especially your most perceptive employees, to spot unexpected activity.
“I think if we get employees to start thinking of the internet as a more dangerous place, then I think you’ll see these sorts of attacks drop off pretty quick,” said Thomas.—BH