05.11.2024 - A case was reported to us last week that shows how criminals associated with the "Black Basta" group infect businesses with ransomware. Victims are bombarded with spam emails and then contacted by fake support staff via Microsoft Teams and by phone. Ostensibly, the support staff are there to repair the damage – but in reality, they are scammers trying to gain access to their victims' devices in order to install malware.
Week 44: "Black Basta" - A clever way to defraud businesses: using spam to trick people into installing ransomware
As well as trying to exploit vulnerabilities or crack weak passwords, scammers can also interact directly with internet users. Whereas in the past it was enough to send an email asking the person to open an attached file, this scam rarely works anymore and criminals are having to adapt. In Weekly Review 2024/43, we reported on how scammers are responding to the increased use of security measures such as two-factor authentication. In this week's review, we look at how they are trying to gain the trust of their victims in order to bypass increased security and install malware on their computers.
A great deal has happened in the field of malware protection over the last few years: antivirus software, automatic updates and firewalls are now built into many operating systems. In addition, users are now usually asked several times to confirm that they want to install software, and the system tells them if the software does not appear trustworthy. Because of these changes, scammers have had to adapt how they work. A particularly sophisticated method of targeting companies is used by the "Black Basta" group. One such case was reported to us last week.
The attack begins with a barrage of spam emails (newsletter and webshop registrations, password reset requests, etc.); in the case reported to us, the victim received approximately 50 to 100 spam emails per minute. This is called email bombing. In some cases, email bombing is used to block the victim's inbox or to ensure that important emails are lost in the deluge. In last week's case, however, the attackers' intention was different: they were trying to get their victims to accept help from the help desk.
In a next step, the attackers contact the victim through Microsoft Teams, impersonating a member of the company's support or IT staff. They use names that appear trustworthy, such as ‘Help Desk’. Because they appear legitimate, victims are more likely to ignore any security warnings that pop up – and if they have any doubts, the fake support staff are quick to reassure them. The fake help desk finally get their victim to scan a legitimate-looking QR code, and by doing so they unwittingly download and install ransomware on their device, thereby compromising their networks.
In addition to Microsoft Teams chats, attackers are also using Voice over IP (VoIP) calls to persuade users to download remote administration software. This software then gives the attackers direct access to their victims’ systems.
In the case reported to us last week, a ransomware group called "Black Basta", which has been around since April 2022, was behind the attack. The group offers ‘ransomware-as-a-service’ (RaaS) on the Darknet. RaaS allows less tech-savvy criminals to carry out attacks by renting the ransomware from its developer, in this case "Black Basta", and later paying them a portion of the ransom. The "Black Basta" malware not only encrypts data, it also steals it. This allows fraudsters to blackmail their victims twice. The damage done by this ransomware is huge.
Recommendations
- Make your employees aware of this type of cyberattack;
- Use application whitelisting software such as AppLocker for your organisation. This will stop many attempted attacks;
- Do not allow anyone to remotely access your computer. If you have allowed remote access, it is possible that your computer has been infected. In this case, you should have your computer checked by a specialist.
Current statistics
Last week's reports by category:
Last modification 05.11.2024