Cybercriminals have now identified a new vector for ransomware attacks by leveraging the Windows Quick Assist feature. Consequently, this emerging threat, primarily driven by a group known as Storm-1811, employs sophisticated social engineering techniques to deploy the notorious Black Basta ransomware. Therefore, understanding these tactics and implementing effective cybersecurity measures are crucial to mitigating these threats.
Since mid-April 2024, the campaign has actively targeted a variety of industries and verticals, including manufacturing, construction, food and beverage, and transportation, underscoring the opportunistic nature of the attacks.
The Attack Chain
The attack typically begins with an email bombing campaign. Cybercriminals subscribe their targets to numerous email services, overwhelming their inboxes with spam. Amid this chaos, they impersonate Microsoft technical support or the target company’s IT staff, offering to resolve the spam issue through a phone call. This impersonation is part of a broader trend of tech support scams prevalent in the cybersecurity landscape.
Once the victim is on the call, the attackers exploit the Windows Quick Assist feature. This tool, intended for remote troubleshooting, allows attackers to gain remote access to the victim’s computer. They persuade victims to grant access under the guise of technical support, enabling them to download malicious tools and ultimately deploy ransomware.
Deployment of Malicious Tools
Upon gaining access, Storm-1811 runs scripted cURL commands to download malicious batch or ZIP files. This often includes remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, as well as Qakbot and Cobalt Strike. The attackers then perform domain enumeration and lateral movement across the network using tools like PsExec. The final step involves deploying the Black Basta ransomware, which encrypts critical data and demands a ransom.
Credential Harvesting and Exfiltration
In addition to deploying ransomware, attackers also harvest victim credentials. They use batch scripts to gather credentials via PowerShell, often under the pretext of an update requiring the user to log in. These credentials are then exfiltrated to the attackers’ server via Secure Copy Protocol (SCP).
Origins and Impact of Black Basta
Black Basta emerged in April 2022 as a Ransomware-as-a-Service (RaaS) operation, possibly a faction of the defunct Conti cybercrime group. Since its inception, it has targeted numerous high-profile organizations, including German defense contractor Rheinmetall, UK tech firm Capita, Hyundai’s European division, and the American Dental Association. According to the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, Black Basta affiliates have breached over 500 organizations, affecting 12 out of 16 critical infrastructure sectors. The ransomware gang has collected at least $100 million in ransom payments from over 90 victims as of November 2023.
Preventive Measures
To counter these threats, Microsoft and cybersecurity experts recommend to block or uninstall remote management tools like Quick Assist when not in use. Quick Assist is installed by default on Windows 11 devices, posing an inherent risk. By understanding these attack vectors and implementing preventive measures, organizations can better protect themselves from ransomware attacks like those perpetrated by Black Basta.
Conclusion
The misuse of Windows Quick Assist by cybercriminals underscores the need for enhanced cybersecurity practices. Organizations must remain vigilant and proactive in their efforts to educate users, manage tools, and secure networks to mitigate the risks posed by sophisticated ransomware attacks. By raising awareness and implementing recommended mitigations, organizations can bolster their defenses and reduce the threat of ransomware.