Windows Quick Assist: A Tool Misused in Black Basta Ransomware Attacks, here is what we know

In the realm of cybersecurity, a new threat has emerged. Cybercriminals are now exploiting a legitimate tool, Windows Quick Assist, to launch social engineering attacks. This misuse of technology has led to the deployment of the Black Basta ransomware.

The Threat Actors

The cybercriminal group known as Storm-1811 is behind these attacks. This group, driven by financial motives, has been observed misusing Quick Assist since mid-April 2024. Their primary weapon of choice is the Black Basta ransomware.

The Modus Operandi

The attack begins with a simple impersonation. The criminals pose as trusted contacts, such as Microsoft technical support or an IT professional from the target’s company. They use voice phishing, also known as vishing, to gain initial access to the target device.

Quick Assist, a client management tool, plays a crucial role in this process. It allows a user to share their Windows or macOS device with another person over a remote connection. The attackers exploit this feature to gain control of the target’s device.

The Malicious Payload

Once the attackers gain access, they deliver malicious tools. These include remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, and malware like Qakbot and Cobalt Strike. The final payload is the Black Basta ransomware.

The Response

Microsoft is actively investigating the misuse of Quick Assist. They are working on improving transparency and trust between helpers and sharers and incorporating warning messages in Quick Assist to alert users about possible tech support scams. Microsoft Defender for Endpoint detects activity originating from Quick Assist sessions, and Microsoft Defender Antivirus detects the malware components associated with this activity.

The Prevention

Organizations can reduce the risk of attacks by blocking or uninstalling Quick Assist and other remote management tools if they are not in use. Additionally, educating users on how to recognize tech support scams can significantly reduce the impact of social engineering attacks.

In conclusion, the misuse of Windows Quick Assist in Black Basta ransomware attacks is a stark reminder of the evolving nature of cyber threats. It underscores the need for constant vigilance, robust cybersecurity measures, and continuous user education.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.