Credential Theft
- Mimikatz
- ProcDump
Quantum is a Windows ransomware family associated with the post-Conti cybercrime ecosystem.
Profile source: Mallory opens in a new tabQuantum
Quantum is a Windows ransomware family associated with the post-Conti cybercrime ecosystem. It emerged as one of the successor brands used by actors linked to Conti after that syndicate fragmented in 2022, and it is widely reported to have later rebranded into Royal and subsequently BlackSuit. Quantum has been referenced alongside other Conti-derived or affiliated operations in financially motivated intrusions targeting enterprises and critical-sector organizations.
Observed Quantum intrusions follow a conventional big-game ransomware pattern centered on enterprise compromise, lateral movement, data theft, and domain-wide encryption. In documented cases, operators conducted multi-day hands-on-keyboard activity after initial access, used post-exploitation tooling such as Cobalt Strike, leveraged remote administration software for command and control, exfiltrated victim data, and then deployed the ransomware broadly across the environment. Remote execution and propagation have been observed via administrative mechanisms such as WMI and PsExec, consistent with mass deployment across Windows domains.
Quantum has been linked to intrusion chains in which initial access was obtained through phishing-delivered malware, including Emotet, and to broader ransomware ecosystems that also relied on loaders such as Qakbot and BumbleBee. Reporting also places Quantum among ransomware brands used by financially motivated actors such as Vanilla Tempest, and among strains connected through transactions and personnel overlap to senior TrickBot and Conti figures. The family has also been cited in discussions of re-extortion behavior among ransomware operations targeting mid-market and larger enterprises.
At high confidence, Quantum should be understood as a Conti-lineage ransomware brand used in double-extortion-style enterprise attacks against Windows environments, with capabilities including data exfiltration, lateral movement, post-exploitation activity, and impact through large-scale encryption.
Ransomware.live
Reported operators
Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.
...Stern has transacted with addresses linked to strains like Quantum, Karakurt, Diavol, and Royal in 2022 following Conti’s demise.
MITRE ATT&CK
Reporting
As the Chainalysis Reactor graph below shows, Stern transacted with numerous ransomware strains, including Ryuk, Conti, Diavol, Karakurt, Royal, 3am, Quantum, and Bitpaymer.
Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.
Labels on those files point to known malware families including Lumma, Quantum, AgentRacoon, and ArrowRAT.
Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.
The crowdsourced YARA labels across the cluster include Lumma, Quantum, AgentRacoon, and ArrowRAT.
...infiltrated or taken over other ransomware or cybercrime operations, including BlackCat, Black Basta, ZEON, Hello Kitty, Hive, AvosLocker, Quantum, BlackByte, Karakurt...
BlackSuit, linked to Royal, Quantum, and Chaos ransomware, has been tied to over 450 attacks across U.S. critical sectors...
"...Quantum, which quickly rebranded to Royal before rebranding again to BlackSuit in 2024."
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.