- Hackers flood victims’ emails with spam and impersonate IT support via phone calls.
- They use Windows Quick Assist to gain remote access and deploy ransomware.
- Attackers steal login credentials and encrypt files, demanding ransom payments.
Hackers have combined traditional spam techniques with the misuse of Windows’ built-in remote assistance tool, Quick Assist, to deploy the Black Basta ransomware variant.
This new method involves tricking victims into granting remote access to their computers, allowing hackers to infiltrate networks and steal sensitive information.
The attackers, identified by Microsoft as Storm-1811, use a multi-step approach to compromise their targets. Initially, they need to gather the victim’s email address and phone number. With this information, they can launch their attack.
The first step involves bombarding the victim’s email inbox with a deluge of unwanted newsletters and notifications.
By signing the victim up for numerous email subscription services, the attackers create a chaotic and overwhelming situation. This tactic not only distracts the victim but also makes it more likely they will fall for the subsequent scam.
The Phone Call
Following the email bombardment, the attackers make a phone call to the victim, posing as either a Microsoft IT technician or a member of the victim’s company’s IT help desk.
During the call, they claim to offer assistance with sorting out the email issue. This is where they introduce Windows Quick Assist, a tool designed for remote support, asking the victim to grant them access to their computer.
Once the victim agrees to use Quick Assist, the attackers gain control over their system. Microsoft explains that at this point, the hackers run a scripted cURL command to download a series of malicious batch files or ZIP files. These files are used to deliver various malicious payloads.
The malicious payloads downloaded by the attackers include tools like Qakbot, ScreenConnect, NetSupport Manager, and Cobalt Strike. These tools enable the attackers to move laterally across the network, mapping it out and eventually deploying the Black Basta ransomware.
In addition to deploying ransomware, the attackers also focus on stealing login credentials. They do this under the guise of an ‘update’ that requires the victim to log in.
Rapid7, a cybersecurity research firm, reported that in many cases, the stolen credentials are immediately sent to the attackers’ server via a Secure Copy command (SCP). In other instances, the credentials are saved to an archive for manual retrieval later.
Once the ransomware is deployed, the victim’s files are encrypted, rendering them inaccessible.
The attackers then demand a ransom payment in exchange for the decryption key. The consequences of such attacks can be devastating, particularly for businesses that rely on access to their data for daily operations.
Protecting Yourself
To safeguard against these types of attacks, it is crucial to be cautious when receiving unsolicited emails and phone calls, especially those that request remote access to your computer.
Here are some steps to protect yourself:
- Verify the Caller: If someone claims to be from your IT department or a trusted company, always verify their identity through official channels before granting any access.
- Use Multi-Factor Authentication (MFA): Implementing MFA can add an extra layer of security, making it more difficult for attackers to gain access to your accounts.
- Keep Software Updated: Ensure that all your software, including your operating system and any remote access tools, are up to date with the latest security patches.
- Educate Yourself and Your Team: Awareness is key. Educate yourself and your team about the signs of phishing and social engineering attacks.
- Limit Remote Access Tools: Disable or limit the use of remote access tools like Quick Assist unless absolutely necessary.
The creative yet alarming use of Windows Quick Assist by hackers to deploy ransomware underscores the importance of vigilance in cybersecurity.
By staying informed and taking proactive steps, you can reduce the risk of falling victim to such sophisticated attacks. Remember, the best defense is a combination of awareness, caution, and robust security practices.
