Recently, the Black Basta ransomware group has shifted its methods to target corporate networks more effectively, exploiting Microsoft Teams to impersonate IT support staff. As reported by ReliaQuest, attackers initiate contact with employees through Teams, pretending to be part of the company’s technical support. They claim to be assisting with a “spam attack,” aiming to trick employees into granting network access.
Active since April 2022, Black Basta has executed hundreds of attacks globally. After the Conti cybercrime group disbanded in mid-2022, some former members regrouped to form new entities, one of which was Black Basta. This evolution in tactics underscores the growing sophistication and adaptability of ransomware groups, making vigilance and secure communication channels crucial for organizations.
Black Basta saturates your email and then contacts you through Microsoft Teams.
Black Basta attackers have refined their tactics, launching targeted email floods at employees to overwhelm inboxes with newsletters, registration confirmations, and verification emails. Once the inbox chaos sets in, attackers reach out through Microsoft Teams, posing as IT support and claiming they can help mitigate the “spam attack.” Under this guise, they persuade employees to install remote software like AnyDesk or grant access via Windows Quick Assist.
Once inside, attackers install additional tools such as ScreenConnect, NetSupport Manager, and Cobalt Strike to maintain access. These tools allow them to move laterally within the network, elevate privileges, exfiltrate data, and ultimately deploy ransomware.
ReliaQuest recommends several precautions to counter these tactics: restrict external communications on Microsoft Teams, watch for usernames like “Help Desk” or “Tech Support” impersonations, and implement multi-factor authentication (MFA). Regular cybersecurity training is also crucial in preparing employees to recognize and respond to social engineering attempts like these.
With Black Basta’s increasingly sophisticated mix of social engineering and remote access tools, staying vigilant and proactive against these evolving threats is essential.
