Another ransomware attack is garnering a lot of attention. Not because the perpetrators want an astonishing amount of crypto, or because they’re threatening to disrupt commerce across an entire country, but because the threat actors went from infecting the victim’s system to encrypting it in less than four hours.
To be precise, the Quantum Ransomware attack took just three hours and forty-four minutes from the time an employee was phished until the threat actors established a complete domain-wide lockdown.
With one of the fastest TTR (Time To Ransom) recently observed, the speed and efficiency of this attack makes it especially concerning. Still, there is a bright side, which is the method used in this attack is becoming increasingly identifiable (see the DFIR Report for a breakdown of its execution), which in turn increases the ability of organizations to quickly detect and respond.
What Is Quantum Ransomware?
Quantum is a Latin root meaning sum or amount – think of close relative “quantity.” In our modern lexicon (quantum physics, quantum mechanics, quantum computing), “quantum” indicates the smallest possible discrete unit of any physical property. Energy. Matter. But, quantum ransomware is so named not because of the discrete amount of time the attack takes – but for how the malware rewrites quantum files.
How Do I Identify Ransomware Attacks Quickly?
Given the speed of this attack, organizations should be looking at ways to identify attacks quickly. Nasser Fattah, Shared Assessments Senior Advisor, says that “Having an established baseline as to what is ‘normally’ expected on computers and networks will greatly help… for example, trying to extract credentials from a computer’s memory is not typical regular end-user activity, nor is attempting to connect to other machines or servers using RDP protocols.” Fattah says these kinds of activities should be considered suspicious and monitored accordingly.
Fattah also notes that government agencies at local, state, and federal levels may be especially susceptible to these kinds of attacks because they often use older technologies, may be underfunded, lacking technical resources including subject matter experts. Given the primary motive in ransomware attacks is financial gain, it would not be surprising for government agencies to become targets.
Why Is Multi Factor Authentication (MFA) Imperative?
As Shared Assessments Vice President Ron Bradley told Industrial Safety and Security Source (ISS Source) “The most recent Quantum Ransomware attack outlines the absolute imperative for turning on Multi Factor Authentication (MFA) for all systems, internal or external, which allows remote connections such as RDP, SSH, and others. This is true for private, public, and governmental sectors.”
Bradley continued, “Additionally, organizations should deploy Privileged Access Management (PAM) solutions whereby the administrators don’t even know the RDP or SSH passwords, rather they must go through the PAM solution to gain access. This allows for greater control including robust alerts, logging, and monitoring.”