29th April: Quantum ransomware really escalates quickly +++ Emotet is not dead yet! +++ Log4J – it ain’t over yet

Quantum ransomware really escalates quickly

Quantum ransomware was first discovered in August 2021 and was now thoroughly analyzed by The DFIR Report, a security analyst group.

The Quantum ransomware is considered fast and aggressive, leaving little time to react. According to the analyst report, the attack takes 3 hours and 44 minutes from initial infection to completion of encryption.

The ransomware uses the IcedID malware, which CobaltStrike identifies as being used for remote access. Initially, the malware seems to arrive via a phishing email with an ISO attachment. IcedID is a modular banking Trojan that has been used primarily for second-stage payload distribution, loaders and ransomware over the past five years. The combination of IcedID and ISO archives has been used in other attacks recently, as these files are excellent for bypassing email security controls.
Two hours after the initial infection, threat actors inject Cobalt Strike into a C:WindowsSysWOW64cmd.exe process to evade detection. The next steps are then to scan network information and establish RDP connection to other servers.
The Quantum Locker ransomware is a rebranding of the Operation MountLocker (AstroLocker, XingLocker) ransomware that peaked in September 2020. The distinguishing feature of the ransomware is that it uses the .quantum file extension for the encrypted files.

Once the threat actors had the domain setup under control, they prepared to deploy the ransomware by copying the ransomware (named ttsel.exe) to each host via the C$ share folder. Finally, the threat actors used WMI and PsExec to deploy the Quantum ransomware payload and encrypt devices. The analysis and reports are inconclusive if there is a file dump, because in the past there were but none appeared in the current analysis.

The attackers do not only encrypt but also steal confidential data and threaten to publish them. The ransomware demand is left in form of a HTML file named “README_TO_DECRYPT.html.”, routing the user to a dedicated website accessible only via TOR browsers.
The attacks mostly hit late at night or during weekends, when admins have longer response times.

Currently, this kind of Ransomware is not that active, and only strikes a few times per month. But still something to consider!

So how can you protect yourself? – Block ISO and executable content as well as dll and ink in mails.

  • Restrict rights on the clients / no admin rights
  • User Awareness
  • Search for IOCs in the network and block them immediately
  • Consider a SOC in order to be able to detect attacks 24/7

Quantum ransomware seen deployed in rapid network attacks (bleepingcomputer.com)
Quantum Ransomware (thedfirreport.com)
Meteoric attack deploys Quantum ransomware in mere hours – Help Net Security
Quantum Ransomware Removal Report (enigmasoftware.com)
Rapid Network Attacks Exploited By Quantum Ransomware (speartip.com)

Emotet is not dead yet!

After a little slumber, Emotet seems to be back. Stronger than ever, unfortunately.

Emotet, first discovered in 2014 after it targeted customers of German and Austrian banks aiming at stealing login credentials, mostly spread via very well made spam e-mails. In January 2021 Europol successfully shut down the group, tracked as TA542 (aka Mummy Spider or Gold Crestwood). Just one year later Emotet reappeared and sent up to 1 million spam e-mails in one attack.

The new activity differs from the group’s known modus operandi in some details:
The mails were not sent from the Emotet spam module but seem to stem from compromised e-mail-accounts.
The spam mails contain OneDrive URLs instead of Microsoft Office-attachments. The absence of macro-enabled Microsoft Excel or Word document attachments is a significant shift from previously observed Emotet attacks, suggesting that the threat actor is pivoting away from the technique as a way to get around Microsoft’s plans to block VBA macros by default starting April 2022. 
Furthermore, only very small badges of spam are currently sent out. It is assumed that the group is testing new attack methods on a small scale before co-opting them into their larger volume malspam campaigns, potentially in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default across its products.

How can you protect yourself:

  • Block Office macros or do not execute them automatically
  • User Awareness – make sure your employees detect malicious e-mails and do not open links or attachments

Emotet Testing New Delivery Ideas After Microsoft Disables VBA Macros by Default (thehackernews.com)
Emotet Tests New Delivery Techniques | Proofpoint US
Emotet Botnet’s Latest Resurgence Spreads to Over 100,000 Computers (thehackernews.com)
Microsoft Disables Internet Macros in Office Apps by Default to Block Malware Attacks (thehackernews.com)

Log4J – it ain’t over yet

Log4j was 2021’s pre-Christmas present nobody wished for. In mid-December the critical security hole in the Java logging library Log4J was published, only a few days later the first attacks began.  First patches were published soon after but Christmas was  still ruined for most admins. AWS, Steam and iCloud were among the attacked. Besides ransomware attacks there was also Remote Code Exection used for crypto-mining.

„Log4j“ is a widely used library for Java applications. A library is software that is integrated into other products to implement a specific functionality. The „Log4Shell“ vulnerability allows cyber criminals to enter data on a target server, for example, and then execute malware or even take control of the entire system. This can be done in the simplest way, e.g., through special commands in a chat or console, so that the attacked system allows any input from the attacker and he eventually gains control over the functions and data stored on this system.

Four months after the vulnerability was discovered security researchers at Rezilion have now taken stock. The problem is that the log4j library is used in countless software, which makes patching extremely difficult. The results should definitely alarm admins. Rezillion cites in the report that 17,480 open-source packages use Log4J, only 40% of which use a non-vulnerable version. In their search, they also came across 90,000 open-source containers that are vulnerable. They cite Apache Solr as an example. Apache Storm, for example, is not said to have been patched until April 2022.

What should you do:

Log4Shell 4 Months Later – Rezilion
Lagebild: Gefahr durch kritische Log4Shell-Lücke ungebrochen | heise online
Log4j Vulnerability Resource Center (sonatype.com)
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC · GitHub
BSI – Kritische Schwachstelle in Java-Bibliothek log4j (bund.de)

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.