In order to prevent a ransomware attack, it’s important to understand and protect against the behaviors of the different groups and strains, this includes understanding how quickly some are able to accomplish a full domain compromise. Researchers at The DFIR Report observed one of the fastest strains of ransomware going from initial access, likely through an IcedID-laced phishing email, to domain wide ransomware in under four hours. While many ransomware groups delay their attack for days after initial access, the recently rebranded Quantum ransomware breaks the average with an extremely short timeframe. Not only does Quantum ransomware detonate in significantly less time than the median dwell time for ransomware (approximately 5 days), Quantum is a prime example of how threat actors, including ransomware groups, heavily rely on built-in tools to hide in plain sight.
After the distribution of the IcedID payload, the malware launches a Cobalt Strike beacon – as is typical for ransomware these days – and then leverages built-in Windows tools to proliferate the attack. The group responsible for Quantum has been observed using everything from Active Directory tools to perform discovery of the environment to WMI or PSExec to execute the ransomware binary (from a Domain Controller). These methods are not entirely uncommon, but Quantum appears to have developed an efficient process. HelpNetSecurity has a useful bulleted list of additional behaviors to protect against, including the use of RDP for remote access and its use of the C$ share for spreading. Finally, this reliance on built-in tools stresses the importance of monitoring and reviewing alerts, even for expected traffic. SecurityWeek has more.