A recent wave of cyberattacks has seen financially motivated criminals leveraging Windows Quick Assist, a built-in remote control and screen-sharing tool, to deploy Black Basta ransomware on victim networks. Microsoft has investigated these attacks since mid-April 2024, identifying the threat group behind them as Storm-1811.
The attacks typically begin with email bombing, where the target's inbox is flooded with spam emails. This overload is followed by a phone call from the attackers, who impersonate Microsoft technical support or the victim's IT help desk. They offer to help resolve the spam issue, tricking victims into granting remote access via Quick Assist.
Once access is granted, the attackers execute a scripted command to download malicious files, including Qakbot malware, remote monitoring tools like ScreenConnect and NetSupport Manager, and the Cobalt Strike framework. These tools enable the attackers to perform domain enumeration and move laterally across the network. Eventually, they deploy Black Basta ransomware using PsExec, a telnet-replacement tool.
Rapid7, a cybersecurity company that also detected these attacks, noted that attackers use batch scripts to harvest credentials from the command line using PowerShell. These credentials are often exfiltrated to the attackers' server via Secure Copy (SCP). In some cases, credentials are saved to an archive for later retrieval.
To mitigate these attacks, Microsoft advises organisations to disable or uninstall Quick Assist and similar remote tools if they are not used. Employees should be trained to recognise tech support scams and instructed to only allow remote access if they initiated the contact with IT support. Suspicious Quick Assist sessions should be immediately disconnected.
The Black Basta ransomware operation emerged after the Conti cybercrime group disbanded two years ago following multiple data breaches. Black Basta began operating as a Ransomware-as-a-Service (RaaS) in April 2022 and has since attacked numerous high-profile targets, including defence contractor Rheinmetall, technology company Capita, Hyundai's European division, and the American Dental Association.
Recent attacks linked to Black Basta include a ransomware incident at U.S. healthcare giant Ascension, which disrupted ambulance services. According to a joint advisory by CISA and the FBI, Black Basta affiliates have breached over 500 organisations across 12 out of 16 critical infrastructure sectors since April 2022, causing data breaches and encryption.
Health-ISAC, an information sharing and analysis centre, has warned of increased attacks against the healthcare sector by Black Basta. Research by Elliptic and Corvus Insurance indicates that the group has extorted at least $100 million in ransom payments from over 90 victims by November 2023.
Microsoft is enhancing Quick Assist to improve transparency and trust between users, including adding warning messages to alert users about potential scams. Rapid7 observed similar scams targeting their customers, with attackers using other remote monitoring tools like AnyDesk.
To prevent such attacks, organisations should block unapproved remote management tools and train staff to recognise and report suspicious calls and messages. Quick Assist should only be used if the interaction was initiated by contacting official support channels.
The recent misuse of Windows Quick Assist in deploying Black Basta ransomware pushes forward the vision for increased vigilance and robust cybersecurity practices to save all our digital assets from such social engineering attacks.
