{
	"id": "fb3bb443-e88c-45aa-a600-9ad375265d25",
	"created_at": "2026-04-06T00:11:51.24135Z",
	"updated_at": "2026-04-10T03:20:32.53284Z",
	"deleted_at": null,
	"sha1_hash": "6f2d38e95a19e0a1373abfbb275e0aff6d8e05f3",
	"title": "Cybereason vs. Quantum Locker Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2619657,
	"plain_text": "Cybereason vs. Quantum Locker Ransomware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 19:25:45 UTC\r\nThe Quantum Locker is a ransomware strain that was first discovered in July 2021. Since then, the ransomware was\r\nobserved used in fast ransomware attacks, in some cases even Time-to-Ransom (TTR) of less than 4 hours, leaving\r\ndefenders little time to react.\r\nKey Details\r\nTime-to-Ransom (TTR) of less than 4 hours: From initial infection to encryption takes even less than 4 hours,\r\nleaving a very short window for defenders to successfully defend against the threat.\r\nHigh Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential\r\nof the attacks.\r\nHuman Operated Attack: Prior to the deployment of the ransomware, the attackers attempt to infiltrate and\r\nmove laterally throughout the organization, carrying out a fully-developed RansomOps attack.\r\nDetected and Prevented: The AI-Driven Cybereason XDR Platform fully detects and prevents the Quantum\r\nLocker. \r\nCybereason Blocks Quantum Locker\r\nThe Quantum ransomware is another rebranding of the notorious MountLocker ransomware, which launched back in\r\nSeptember 2020. Since then, the ransomware gang has rebranded its operation to various names, including AstroLocker,\r\nXingLocker, and now in its current phase, the Quantum Locker:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware\r\nPage 1 of 11\n\nRebranding of Mount Locker\r\nSame with other ransomware that follow the double extortion trend, that became already a second nature to ransomware,\r\nthe Quantum Locker has its own data leak TOR website - “Quantum Blog”, and according to it the gang has over 20\r\nvictims, with 7 of them being new as of April 2022:\r\nQuantum Leaks website\r\nThe ransom demands for the gang vary depending on the victim, with some attacks demanding $150,000 to receive a\r\ndecryptor, while others are multi-million dollar demands, as shown below:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware\r\nPage 2 of 11\n\nQuantum support chat\r\nThe victim only gets 72 hours to get back in touch with the gang, and if not - the stolen data is shared on the website for\r\nfree downloads for the public:\r\nStolen data shared on the Quantum Blog website\r\nBreaking Down the Attack\r\nInitial Infection Vector - IcedID\r\nThe infamous malware, IcedID, that started as a banking trojan back in 2017, is observed being utilized as the initial\r\naccess by various ransomware gangs. Among those gangs are Conti, REvil, and the former brand of Quantum - the Xing\r\nLocker. As for now, the gang seems to continue with this method with the Quantum Locker as well; “If it ain't broke\r\ndon’t fix it.”\r\nhttps://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware\r\nPage 3 of 11\n\nThe campaign of IcedID observed ending in Quantum Locker execution starts with a phishing attack via email. The email\r\ncontained an .iso image file that contains the IcedID loader payload in the form of a DLL (dar.dll) and shortcut file - an\r\n.LNK file - that targets the IcedID payload and masquerades as a document. \r\nWhen mounting the .iso file, the end user only sees the shortcut file named “document”, and the DLL itself is hidden.\r\nAfter the user clicks on the shortcut, the IcedID DLL is executed:\r\nDocument.lnk properties\r\nThe unpacked DLL is loaded into memory (loader_dll_64.dll) and it begins its communication with the C2:\r\nThe execution of the IcedID payload as shown in the Cybereason XDR platform\r\nAs with most commodity malware, for example TrickBot, IcedID executes initial discovery commands and then\r\nexfiltrates the results via the C2 channel. If threat actors find the organization to be of interest, they will launch the next\r\nphase:\r\nCmd.exe /c chcp \u003e\u00262\r\nIpconfig /all\r\nSysteminfo\r\nNet config workstation\r\nhttps://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware\r\nPage 4 of 11\n\nNltest /domain_trusts /all_trusts\r\nNet view /all /domain\r\nNet view /all\r\nNet group Domain Admins /domain\r\nIcedID reconnaissance commands\r\nMoving to an Interactive Attack\r\nThe next phase of the attack starts after IcedID sends the reconnaissance output back to the C2. In some cases, it started\r\njust two hours after the user clicks on the .lnk file. In this phase, the threat actor starts an interactive attack in the\r\nbreached network. To do so, they use the initial IcedID implant to download and execute another implant. In most cases\r\nthe gang used Cobalt Strike beacon to launch the interactive phase.\r\nFirst, the threat actor wants to perform additional and more in-depth reconnaissance activity. They execute a script named\r\nadfind.bat that uses the tool AdFind to collect information about the Active Directory. In addition, they also run a batch\r\nscript named ns.bat which runs nslookup for each host in the domain.\r\nThe AdFind.bat script is dropped in the %temp% directory, along with the AdFind.exe binary and 7Zip binary named\r\n7.exe.  The output is saved into .txt files and sent to the C2. After that, the batch file removes tracks by deleting the script,\r\nthe AdFind binary, the .txt files and the 7Zip binary:\r\nThe execution of AdFind.bat, as shown in the Cybereason XDR Platform\r\nLateral Movement\r\nhttps://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware\r\nPage 5 of 11\n\nTo move laterally in the environment, the threat actor first dumps the lsass process and gains credentials.\r\nThen, they start making RDP connections to other servers in the environment and remote WMI discovery tasks to test the\r\ngained credentials:\r\nEvidence of credential dumping as shown in the Cybereason XDR Platform\r\nAfter confirming that the credentials work, the threat actor continues to prepare for the deployment of the Quantum\r\nLocker. They start spreading in the network by copying the ransomware binary to the other machine's c$\\windows\\temp\\\r\nshared folder and then execute them remotely via WMI and PsExec.\r\nRansomware Execution\r\nUpon execution, the ransomware first checks for the presence of different services and processes related to security\r\nsoftware such as AVs, malware analysis tools, Microsoft Office, browsers and databases. If found, the ransomware tries\r\nto kill the service / process:\r\nmsftesql.exe\r\nsqlbrowser.exe\r\nsqlwriter.exe\r\noracle.exe\r\nocssd.exe\r\ndbsnmp.exe\r\nsynctime.exe\r\nagntsvc.exe\r\nisqlplussvc.exe\r\nxfssvccon.exe\r\nsqlservr.exe\r\nencsvc.exe\r\nocautoupds.exe\r\nmydesktopservice.exe\r\nfirefoxconfig.exe\r\nocomm.exe\r\nmysqld.exe\r\nsqlagent.exe\r\nmysqld-nt.exe\r\nmysqld-opt.exe\r\ndbeng50.exe\r\nsqbcoreservice.exe\r\nexcel.exe\r\ninfopath.exe\r\nmsaccess.exe\r\nmspub.exe\r\nonenote.exe\r\noutlook.exe\r\npowerpnt.exe\r\nsqlservr.exe\r\nvisio.exe\r\nwordpad.exe\r\nQBW32.exe\r\nQBW64.exe\r\nipython.exe\r\nwpython.exe\r\npython.exe\r\ndumpcap.exe\r\nprocmon.exe\r\nprocmon64.exe\r\nprocexp.exe\r\nprocexp64.exe\r\nthebat.exe\r\nsteam.exe\r\nthebat64.exe\r\nthunderbird.exe\r\nhttps://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware\r\nPage 6 of 11\n\nfirefoxconfig.exe\r\nmydesktopqos.exe\r\nwinword.exe\r\nList of processes to terminate\r\nThen, the ransomware starts its encryption routine. It encrypts the files on the disc and appends the .quantum extension to\r\nit. It also leaves a ransom note named README_TO_DECRYPT.html:\r\nFiles encrypted by the Quantum Locker\r\nQuantum Locker ransom note\r\nIn addition, the ransomware creates a log file for its execution named \u003cransom_binary\u003e.exe.log. This log file contains\r\ninformation about the machine, user, domain, killed processes and services, and each file's status - if it was encrypted or\r\nskipped.\r\nhttps://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware\r\nPage 7 of 11\n\nCybereason Detection and Prevention\r\nThe AI-driven Cybereason XDR Platform is able to prevent the execution of the Quantum Locker using multi-layer\r\nprotection that detects and blocks malware with threat intelligence, machine learning, and next-gen antivirus (NGAV)\r\ncapabilities. Additionally, when the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform\r\nare able to detect and prevent any attempt to encrypt files and generates a MalOpTM for it:\r\nMalOp for Quantum Locker as shown in the Cybereason XDR Platform\r\nUsing the Anti-Malware feature with the right configurations (listed in the recommendations below), the Cybereason\r\nXDR Platform will also detect and prevent the execution of the ransomware and ensure that it cannot encrypt targeted\r\nfiles. The prevention is based on machine learning, which blocks both known and unknown malware variants:\r\nCybereason user notification for preventing the\r\nexecution of Quantum Locker\r\nSecurity Recommendations\r\nEnable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware protection\r\nmode to Prevent - more information for Cybereason customers can be found here\r\nEnable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to Prevent and set\r\nthe detection mode to Moderate and above - more information for cybereason customers can be found here\r\nKeep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities\r\nRegularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to regain\r\naccess to your data\r\nUse Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering, and mail\r\nfiltering\r\nIndicators of Compromise\r\nIOC Type Description\r\nhttps://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware\r\nPage 8 of 11\n\nb63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192\r\n1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58\r\n511c1021fad76670d6d407139e5fef62b34ca9656fb735bd7d406728568fa280\r\nfaf49653a0f057ed09a75c4dfc01e4d8e6fef203d0102a5947a73db80be0db1d\r\n0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2\r\n0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f\r\nSHA256 Quantum binaries\r\n8d30ab8260760e12a8990866eced1567ced257e0cb2fc9f7d2ea927806435208\r\n2c84b5162ef66c154c66fed1d14f348e5e0054dff486a63f0473165fdbee9b2e\r\n116e8c1d09627c0330987c36201100da2b93bf27560478be4043c1a834ad8913\r\n99a732c0512bc415668cc3a699128618f02bf154ff8641821c3207b999952533\r\nf72c47948a2cb2cd445135bc65c6bf5c0aaacc262ee9c04d1483781355cda976\r\nf8136eb39ee8638f9eb1acf49b1e10ce73e96583a885e4376d897ab255b39bd6\r\n79e25568a8aeec71d18adc07cdb87602bc2c6048e04daff1eb67e45f94887efc\r\nd44c065f04fe13bd51ba5469baa9077efb541d849ad298043739e08b7a90008f\r\n239d1c7cfd5b244b10c56abbf966f226e6a0cb91800e9c683ba427641e642f10\r\n7522b6de340a68881d11aa05e2c6770152e2d49ca5b830821ffce533fad948fd\r\n5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b\r\nSHA256 IcedID .iso files\r\n138[.]68.42.130\r\n157[.]245.142.66\r\n188[.]166.154.118:80\r\nIP IcedID C2\r\ndilimoretast[.]com\r\nantnosience[.]com\r\noceriesfornot[.]top\r\narelyevennot[.]top\r\nDomain IcedID C2\r\nhttps://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware\r\nPage 9 of 11\n\nMITRE ATT\u0026CK TECHNIQUES\r\nInitial\r\nAccess\r\nLateral\r\nMovement\r\nExecution\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery Collection Impact\r\nPhishing\r\nTaint\r\nShared\r\nContent\r\nCommand and\r\nScripting\r\nInterpreter:\r\nPowerShell\r\nMasquerading\r\nCredentials\r\nfrom\r\nPassword\r\nStores\r\nAccount\r\nDiscovery\r\nData from\r\nLocal\r\nSystem\r\nData\r\nEncrypted\r\nfor\r\nImpact\r\nValid\r\nAccounts\r\nRemote\r\nFile Copy\r\nScheduled\r\nTask/Job\r\nProcess\r\nInjection\r\nSystem\r\nInformation\r\nDiscovery\r\n \r\nInhibit\r\nSystem\r\nRecovery\r\n \r\nWindows\r\nManagement\r\nInstrumentation\r\n   \r\nFile and\r\nDirectory\r\nDiscovery\r\n   \r\n  User Execution    \r\nSystem\r\nLocation\r\nDiscovery\r\n   \r\nAbout the Researcher:\r\nLIOR ROCHBERGER, SENIOR THREAT RESEARCHER AND THREAT\r\nHUNTER, CYBEREASON\r\nAs part of the Nocturnus team at Cybereason, Lior has created procedures to lead threat hunting, reverse engineering and\r\nmalware analysis teams. Lior has also been a contributing researcher to multiple threat and malware blogs including\r\nBitbucket, Valak, Ramnit, and Racoon stealer. Prior to Cybereason, Lior led SOC operations within the Israeli Air Force.\r\nhttps://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware\r\nPage 10 of 11\n\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and\r\nenterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies,\r\nreverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the\r\nfirst to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware\r\nhttps://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware"
	],
	"report_names": [
		"cybereason-vs.-quantum-locker-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434311,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f2d38e95a19e0a1373abfbb275e0aff6d8e05f3.pdf",
		"text": "https://archive.orkl.eu/6f2d38e95a19e0a1373abfbb275e0aff6d8e05f3.txt",
		"img": "https://archive.orkl.eu/6f2d38e95a19e0a1373abfbb275e0aff6d8e05f3.jpg"
	}
}