Quantum
Quantum is referenced in the provided content primarily as a ransomware family active in 2022 and as part of the post-Conti ransomware ecosystem. Multiple sources describe Quantum as one of the successor brands that emerged after Conti’s 2022 breakup, with reporting stating that Conti members rebranded into subgroups including Zeon, Black Basta, and Quantum; Quantum then quickly rebranded to Royal, and later that lineage rebranded again to BlackSuit in 2024. The content also notes BlackSuit/Royal/Quantum links in U.S. government and industry reporting, and associates the broader lineage with hundreds of attacks, including against U.S. critical sectors.
Behaviorally, Quantum is described as a ransomware variant used in enterprise intrusions and double-extortion style operations. In one cited Quantum ransomware case, PsExec and WMI were used, consistent with broader reporting in the content that ransomware deployment commonly used SMB for propagation and WMI or PsExec for remote execution. Quantum also appears in reporting on re-extortion trends, where it was listed among closed RaaS variants targeting mid-market and larger enterprises. Coveware data cited in the content ranked Quantum among the top observed ransomware variants in Q4 2022 with 4.8% market share.
The content further links Quantum to common initial-access and post-exploitation ecosystems. Qakbot/Qbot was reported as having been leveraged in successful attacks involving Quantum, alongside other ransomware strains such as Conti, REvil, and Black Basta. BumbleBee was also reported as having previously been used to deploy Quantum, along with Conti, MountLocker, Diavol, and Akira. Additional reporting states that IcedID had been used to deliver ransomware from XingLocker, which rebranded as Quantum. One Microsoft podcast transcript cited in the content says the financially motivated actor Vanilla Tempest used ransomware families including BlackCat, Quantum, and Zeplin.
The content contains one unrelated reference to "Quantum" as NSA spy software reportedly used for surveillance on approximately 100,000 computers worldwide. Because the same name is used for distinct malware/tooling in the source material, that surveillance reference should not be conflated with the ransomware family above.
High-confidence associations and context from the content include: post-Conti lineage (Conti -> Quantum -> Royal -> BlackSuit), use in ransomware/extortion operations, observed use of PsExec and WMI in at least one Quantum case, and delivery or operational association with Qakbot, BumbleBee, and IcedID-linked activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...Stern has transacted with addresses linked to strains like Quantum, Karakurt, Diavol, and Royal in 2022 following Conti’s demise.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesUsing SECONDDATE and QUANTUM, the NSA's Tailored Access Operations hacking team infected an internal staff network in Pakistan’s National Telecommunications Corporation, and quietly installed surveillance code on four ZXJ10 switches.
Credential Access
1 techniqueBy exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond... In the academic literature, these are called 'man-in-the-middle' attacks... More specifically, they are examples of 'man-on-the-side' attacks.
Collection
1 techniqueBy exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond... In the academic literature, these are called 'man-in-the-middle' attacks... More specifically, they are examples of 'man-on-the-side' attacks.
Command and Control
2 techniquesMost recently, IcedID has reportedly been used to download and execute Quantum Locker ransomware... Emotet is being used to load Quantum and ALPHV ransomware... and is being used to load and execute IcedID.
Impact
1 technique"2022 was an impactful year in the fight against ransomware... Ransomware payments are significantly down. However, that doesn’t mean attacks are down..."
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a known malware family based on labels found on related malicious files in VirusTotal.
A ransomware subgroup/brand that emerged from Conti and then quickly rebranded to Royal.
Mentioned only as a crowdsourced YARA family label applied to related artifacts; the report explicitly says these labels reflect shared obfuscation technique rather than definitive family classification.
Ransomware operation cited as associated with post-Conti member migration/infiltration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.