Cybercriminals in Russia are using a scam to trick their victims into allowing them to install ransomware on their computers by pretending to be technical support via Microsoft Teams. Once they have convinced victims they have an IT problem, they then trick them into allowing ransomware to be installed on the target's networks. 

A British cybersecurity company, Sophos, reported on Thursday that it had observed over 15 instances of two separate groups attempting to socially engineer their way onto a victim's computer using Microsoft Office 365’s default settings. Several reports have indicated that these gangs are bombarding employees with spam emails before approaching employees through Teams to “resolve” the issue. Eventually, they trick their victims into granting them remote computer access. 

Upon gaining access, attackers will install malicious software that will steal data, freeze computer systems, and hold organizations to ransom once they are given access. As a result of this fast-spreading campaign, Sophos linked it to two Russian criminal groups, Fin7 and Storm-1811, according to Sophos. According to the company, 15 times during the last three months, and 8 times in the past fortnight, the tactic has been used. 

The cybersecurity company Sophos has reported that hackers increasingly use a technique to send 3,000 spam messages in an hour to workers, before contacting them through Teams to fix the problem. Nevertheless, when the victims provide remote access to their computers, the hackers can install malicious software that essentially extracts all their data from the computer. In light of the growing use of the tactic, businesses that use Teams, Microsoft's flagship platform for working from home, and other Microsoft products have been warned to be on “high alert” as the tactic is spread more widely. 

The company's principal threat researcher, Sean Gallagher, stated that "Microsoft Teams by default allows people outside an organization to connect with or call the internal team at a company, so attackers are utilizing this feature. This revelation comes in light of a British government plan to ban ransomware payments as a result of a recent report. 

As a part of a plan to combat a rise in cybercriminal activity, councils, schools, NHS trusts, and other public sector organizations will be barred from paying ransomware in exchange for services. Experts are describing this as the largest anti-ransomware measure ever taken by any national government. As part of the investigation on the U.S. election, the fake support staff had instructed the employee to allow a remote screen control session on Election Day. The attacker used the remote control session to open a command shell, drop a file, and execute malware. 

Two files contained obfuscation methods that had previously been used by FIN7 code, namely a Java archive (JAR) and a Python code archive (zip) copied from the JAR. According to Sophos, FIN7 has a history of selling tools to other cybercriminals, which can find ways to obfuscate the code, and their methods of obfuscation themselves are based on public code. 

The hackers also employed an entirely different strategy during the fake support chat and once they gained access to the victim's device as part of this group of actions — they used a lot more “hands-on-key” approach, and scripted commands, which were executed by the hackers themselves. In this sense, the attack more closely overlapped with what Microsoft stated in the report on Storm-1811. A spokesperson for Sophos states that if a company is not required to restrict calls from outside organizations or to trusted business partners, it should ensure that those capabilities are restricted. The company also recommends that organizations restrict remote access applications by policy unless it is necessary. 

As with many other sectors, cybersecurity experts emphasize that for businesses to be fully prepared to deal with evolving threats, they must strengthen their cybersecurity practices. This recommendation includes limiting external access to the organization by adjusting Microsoft Teams settings to prevent direct communications from outside of the organization. 

The company should also provide comprehensive employee training so employees can identify and report phishing attempts and social engineering tactics. It is also recommended that critical data be backed up regularly and kept secure offline, to minimize the impact of ransomware attacks. Although Microsoft Teams has proved invaluable for remote collaboration, its wide accessibility has made it a target for malicious actors, as cybercriminals refine their methods and maintain vigilance towards threats. 

Even though Microsoft Teams has proved to be incredibly useful for remote collaboration, it has also become a target for malicious actors once they refine their methods and become more sophisticated. Cybersecurity experts recommend businesses contact them if they notice any irregular activity on the Teams platform, for example, if they notice an increase in spam messages or a rise in suspicious interactions in the Teams app. 

Those interested in combating cybercrime can find a variety of online courses taught by TheHackAcademy that will assist them in simplifying complex cybersecurity concepts as well as providing practical skills to help them protect themselves from harm. It is designed to accommodate learners of all skill levels, from IT professionals to people seeking more information on personal online safety, and offers topics such as identifying phishing scams and defending against ransomware attacks. These courses are open to all levels of learning.