Skip to content
Ransomware group Windows

Quantum

Quantum is a Windows ransomware family associated with the post-Conti cybercrime ecosystem.

Profile source: Mallory opens in a new tab

Quantum

Family profile

Quantum is a Windows ransomware family associated with the post-Conti cybercrime ecosystem. It emerged as one of the successor brands used by actors linked to Conti after that syndicate fragmented in 2022, and it is widely reported to have later rebranded into Royal and subsequently BlackSuit. Quantum has been referenced alongside other Conti-derived or affiliated operations in financially motivated intrusions targeting enterprises and critical-sector organizations.

Observed Quantum intrusions follow a conventional big-game ransomware pattern centered on enterprise compromise, lateral movement, data theft, and domain-wide encryption. In documented cases, operators conducted multi-day hands-on-keyboard activity after initial access, used post-exploitation tooling such as Cobalt Strike, leveraged remote administration software for command and control, exfiltrated victim data, and then deployed the ransomware broadly across the environment. Remote execution and propagation have been observed via administrative mechanisms such as WMI and PsExec, consistent with mass deployment across Windows domains.

Quantum has been linked to intrusion chains in which initial access was obtained through phishing-delivered malware, including Emotet, and to broader ransomware ecosystems that also relied on loaders such as Qakbot and BumbleBee. Reporting also places Quantum among ransomware brands used by financially motivated actors such as Vanilla Tempest, and among strains connected through transactions and personnel overlap to senior TrickBot and Conti figures. The family has also been cited in discussions of re-extortion behavior among ransomware operations targeting mid-market and larger enterprises.

At high confidence, Quantum should be understood as a Conti-lineage ransomware brand used in double-extortion-style enterprise attacks against Windows environments, with capabilities including data exfiltration, lateral movement, post-exploitation activity, and impact through large-scale encryption.

Capabilities

  • Exfiltration
  • Lateral Movement
  • Post Exploitation

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Mimikatz
  • ProcDump

Discovery Enum

  • AdFind

Exfiltration

  • MEGA
  • RClone

LOLBAS

  • PsExec
  • WMIC

Offsec

  • Cobalt Strike

RMM Tools

  • AnyDesk
  • Atera
  • RSAT
  • Splashtop

Reported operators

Threat actors

2 named in public reporting
Conti

Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.

Stern

...Stern has transacted with addresses linked to strains like Quantum, Karakurt, Diavol, and Royal in 2022 following Conti’s demise.

MITRE ATT&CK

Quantum in ATT&CK

5 distinct techniques

Reporting

Research mentioning Quantum

Jul 14
Chainalysis

“Stern” Ransomware Operator Sanctioned by EU

As the Chainalysis Reactor graph below shows, Stern transacted with numerous ransomware strains, including Ryuk, Conti, Diavol, Karakurt, Royal, 3am, Quantum, and Bitpaymer.

Jun 12
Cyberscoop

Conti ransomware group member pleads guilty, faces up to 20 years in prison | CyberScoop

Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.

May 7
Cyber Security News

Malicious NuGet Packages Target Browser Credentials, SSH Keys, and Crypto Wallets

Labels on those files point to known malware families including Lumma, Quantum, AgentRacoon, and ArrowRAT.

May 5
Cyberscoop

Latvian national sentenced for ransomware attacks run by former Conti leaders | CyberScoop

Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.

Mar 7
Socket

5 Malicious NuGet Packages Impersonate Chinese UI Libraries ...

The crowdsourced YARA labels across the cluster include Lumma, Quantum, AgentRacoon, and ArrowRAT.

Oct 31
Bleeping Computer

Ukrainian extradited from Ireland on Conti ransomware charges

...infiltrated or taken over other ransomware or cybercrime operations, including BlackCat, Black Basta, ZEON, Hello Kitty, Hive, AvosLocker, Quantum, BlackByte, Karakurt...

Aug 15
Sentinelone

The Good, the Bad and the Ugly in Cybersecurity – Week 33

BlackSuit, linked to Royal, Quantum, and Chaos ransomware, has been tied to over 450 attacks across U.S. critical sectors...

Aug 4
Cyberscoop

Details emerge on BlackSuit ransomware takedown

"...Quantum, which quickly rebranded to Royal before rebranding again to BlackSuit in 2024."

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.