Cybercriminals have found a new vector for ransomware attacks by abusing the Windows Quick Assist feature. These financially motivated attackers, known as Storm-1811, use social engineering tactics to deploy the Black Basta ransomware on victims' networks.
Here's how they do it and what you can do to protect yourself.
The Tactics of Storm-1811: Email Bombing and Impersonation
(Photo : Philipp Katzenberger from Unsplash)
Cybercriminals with expertise in social engineering are abusing the Windows Quick Assist feature in the latest Black Basta ransomware attack.
The attacks typically start with an email bombing campaign. Cybercriminals subscribe their targets to numerous email services, flooding their inboxes with spam.
Amid this chaos, they impersonate Microsoft technical support or the targeted company's IT staff and call the victims, offering to help resolve the spam issue.
Related Article: Black Basta Ransomware Gang Steals 'Large Number of Files' from Toronto Public Library
Exploiting Windows Quick Assist
During these voice phishing (vishing) calls, the attackers persuade victims to grant remote access to their computers using Windows Quick Assist, a built-in tool for remote control and screen sharing.
"In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike," Microsoft said.
Once access is granted, the attackers run scripted cURL commands to download malicious batch or ZIP files, according to Bleeping Computer.
Deployment of Black Basta Ransomware
After establishing control, Storm-1811 installs various malicious tools. They perform domain enumeration and lateral movement across the network using the Windows PsExec tool. Ultimately, they deploy the Black Basta ransomware, encrypting critical data and demanding a ransom.
Credential Harvesting
Cybersecurity firm Rapid7 observed that attackers use batch scripts to harvest victim credentials via PowerShell. These credentials are often gathered under the guise of an update requiring the user to log in. The stolen credentials are then exfiltrated to the attackers' server via Secure Copy Protocol (SCP).
Preventive Measures and Recommendations
Blocking Quick Assist
Microsoft advises network defenders to block or uninstall Quick Assist and similar remote management tools if they are not essential. This can prevent attackers from exploiting these tools to gain unauthorized access.
Employee Training
Training employees to recognize tech support scams is crucial. Employees should be cautious of unsolicited help offers and should only allow remote access if they initiate contact with their IT support or Microsoft Support. Any suspicious Quick Assist sessions should be immediately disconnected.
Origins and High-Profile Attacks
Black Basta emerged in April 2022 as a Ransomware-as-a-Service (RaaS) operation, possibly a faction of the defunct Conti cybercrime group. It has since targeted numerous high-profile organizations, including German defense contractor Rheinmetall, U.K. tech firm Capita, Hyundai's European division, and the American Dental Association.
Impact on Critical Infrastructure
According to CISA and the FBI, Black Basta affiliates have breached over 500 organizations, affecting 12 out of 16 critical infrastructure sectors. The ransomware gang has accelerated attacks against the healthcare sector, forcing some facilities, like U.S. healthcare giant Ascension, to divert ambulances to unaffected locations.
Financial Impact
Research by cybersecurity companies Elliptic and Corvus Insurance reveals that Black Basta has collected at least $100 million in ransom payments from over 90 victims as of November 2023. This underscores the financial motivation and the significant threat posed by this ransomware gang.
The abuse of Windows Quick Assist by cybercriminals highlights the need for more effective cybersecurity practices. By understanding these attack vectors and implementing preventive measures, organizations can better protect themselves from ransomware attacks like those perpetrated by Black Basta.
Meanwhile, Tech Times reported that the US intends to wage psychological warfare against ransomware gangs by striking paranoia into them.
