Inactive ransomware operator
← All groupsQuantum
aka QuantumLocker, Mount Locker, DagonLocker · 68 victims indexed · first seen 5 years ago · last activity 3 years ago
68
Victims indexed
#91 of 348 tracked operators
1y 3m
Active period
Sep 2021 → Dec 2022
10
Countries hit
top United States · 25
At a glance
- Status
- inactive
- Aliases
- QuantumLocker, Mount Locker, DagonLocker
- First seen
- 5 years ago
- Last activity
- 3 years ago
- Onion sites
- 4 known endpoints
- Primary sector
- Business Services · 8 hits
About
Quantum is a ransomware group that emerged in September 2021, operating with primarily financial motivations and demonstrating a focus on high-value targets across English-speaking nations. The group's geographic targeting patterns and operational characteristics suggest possible connections to established ransomware ecosystems, though specific attribution or confirmed affiliations with other threat actors remain undocumented in public reporting. Quantum operators typically employ double extortion tactics, combining data encryption with the threat of public data exposure to maximize pressure on victims, and their campaigns have consistently targeted sectors with critical operational dependencies including business services, manufacturing, and information technology infrastructure. The group has maintained a relatively low public profile compared to other major ransomware operations, with their 68 documented victims representing a more selective approach to target acquisition rather than broad-scale campaigns. Despite limited public law enforcement reporting specifically focused on Quantum operations, the group's continued activity pattern suggests they remain an active threat as of recent observations, though comprehensive operational details remain scarce in publicly available threat intelligence reporting.
References
18 linksExternal sources curated by the MISP threat-intel community.
- malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker
- securityscorecard.pathfactory.com/research/quantum-ransomware
- bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/
- bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/
- dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html
- blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates
- github.com/Finch4/Malware-Analysis-Reports/tree/master/MountLocker
- chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/
- symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines
- kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/
- cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware
- thedfirreport.com/2022/04/25/quantum-ransomware/
- ransomlook.io/group/quantum
- ransomlook.io/group/dagonlocker
- sentinelone.com/anthology/dagon-locker/
- asec.ahnlab.com/en/42037/
- broadcom.com/support/security-center/protection-bulletin/dagon-locker-ransomware
- mphasis.com/content/dam/mphasis-com/global/en/home/services/cybersecurity/icedid-infection-to-dagon-locker-ransomware-apr29-22-7.pdf
Timeline
14 months2021-09-01T00:00:00+00:002022-12-01T00:00:00+00:00
Top countries
🇺🇸 United States
25
🇨🇦 Canada
6
🇦🇺 Australia
3
🇬🇧 United Kingdom
2
🇰🇼 KW
1
🇮🇱 Israel
1
🇩🇴 Dominican Republic
1
🇳🇱 Netherlands
1
Top sectors
Business Services
8
Manufacturing
7
Information Technology
3
Education
3
Law Firms & Legal Services
2
Government
2
Engineering
2
Wholesale & Retail
2
MITRE ATT&CK
5 techniques · 4 tacticsTactics
Initial AccessExecutionDefense EvasionImpact
Recent victims
Loading…
Onion infrastructure
4 known- http://22rnyep2aa2exx3fdm26p4onwjfmhciodb55v5l3w4iny7e5bxpg3yad.onion
- http://22rnyep2aa2exx3fdm26p4onwjfmhciodb55v5l3w4iny7e5bxpg3yad.onion/
- http://quantum445bh3gzuyilxdzs5xdepf3b7lkcupswvkryf3n7hgzpxebid.onion
- http://quantum445bh3gzuyilxdzs5xdepf3b7lkcupswvkryf3n7hgzpxebid.onion/
Source
Updated 3 years agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.