Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 1 actorExploits 1 CVE

Quantum Locker

Quantum Locker is a ransomware payload referenced in reporting on the financially motivated threat actor Vanilla Tempest, also known as Vice Society/VICE SPIDER. The malware is described in the provided content only as one of several ransomware families that this actor has deployed over time, alongside BlackCat, Zeppelin, Rhysida, and in some reporting Hello Kitty/Five Hands. Vanilla Tempest has been active since at least 2021 or 2022 and has frequently targeted organizations in the education, healthcare, IT, and manufacturing sectors. The content also notes a prior case in which deployment of the Atera agent and Splashtop Streamer on a compromised system resulted in Quantum Locker ransomware being deployed. Beyond these associations, the provided material does not include high-confidence technical details on Quantum Locker’s internal functionality, encryption behavior, ransom notes, infection vector specific to the malware itself, or distinct indicators of compromise.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2021-44228Log4Shell

“The only other case that we identified using this version of Atera agent and an installation of Splashtop Streamer resulted in the deployment of Quantum Locker ransomware.”

via sophos threat researchnews.sophos.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Vanilla Tempest

Vice Society was observed deploying INC ransomware against the health care industry; this group has a long-standing habit of cycling through third-party payloads such as BlackCat, Rhysida, Hello Kitty, Zeppelin, and Quantum Locker.

via acronisacronis.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

Most recently, IcedID has reportedly been used to download and execute Quantum Locker ransomware... Emotet is being used to load Quantum and ALPHV ransomware... and is being used to load and execute IcedID.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
acronisNews
Jun 17, 2026
From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware

Named ransomware family referenced as one of the third-party payloads used by Vice Society.

Read more
rescana blogNews
Oct 19, 2025
Microsoft Teams Targeted in Rhysida Ransomware Campaign: Over 200 Fraudulent Certificates Revoked by Microsoft

Ransomware family referenced as previously deployed by Vanilla Tempest (no technical details provided in the content).

Read more
scworldNews
Oct 17, 2025
Vanilla Tempest’s Rhysida ransomware attacks foiled | SC Media

Ransomware payload used by the threat actor in addition to other ransomware families.

Read more
the hacker newsNews
Oct 17, 2025
Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign

Ransomware strain attributed in the content as one of multiple families delivered by Vanilla Tempest over time.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.