Black Basta Leveraging Microsoft Teams for Social Engineering

The Black Basta ransomware group has adopted Microsoft Teams as a tool for sophisticated social engineering attacks, targeting hundreds of organizations in October 2024. Black Basta has shifted tactics from email-based phishing to impersonating IT help desk staff on Microsoft Teams for initial infection.  

The attack sequence begins with spam emails overwhelming inboxes, followed by direct contact through Teams, where attackers convince victims to install remote access tools like Quick Assist or AnyDesk. Once connected, they deploy malware to infiltrate networks, Cybersecurity News reports.

Key risks include external account spoofing using fake Entra ID tenants, employees' misplaced trust in Teams messages, and unrestricted remote access through collaboration tools. This method bypasses traditional email security defenses, significantly increasing the effectiveness of their attacks.  

Researchers report over $15 million in damages across industries such as finance, technology, and government contracting so far.

Takeaway: According to the Power Ranking: Ransomware Malicious Quartile report, Black Basta, a ransomware-as-a-service (RaaS) group that emerged in early 2022, is suspected to be an offshoot of the defunct Conti and REvil operations.  

Known for its technical sophistication and aggressive tactics, the group targets organizations across high-stakes sectors, including manufacturing, healthcare, telecommunications, and finance.  

Black Basta employs a double extortion model, exfiltrating sensitive data to pressure victims into paying ransoms, often threatening to leak or sell stolen information if demands are unmet.

The group’s ransomware, developed in C++, uses advanced encryption methods, including ChaCha20 and RSA-4096, ensuring rapid and secure data encryption.  

They exploit vulnerabilities such as VMware ESXi and ConnectWise (CVE-2024-1709) and insecure Remote Desktop Protocol (RDP) setups, often aided by credentials purchased from Initial Access Brokers (IABs).  

Social engineering techniques, such as phishing emails, complement their technical exploits to bypass security defenses.

Black Basta’s meticulous affiliate model maintains high operational security. Affiliates leverage advanced tools, including Qakbot malware and exploits like PrintNightmare, and disable defenses using PowerShell commands and Group Policy Objects.  

The group has amassed over $107 million in revenue, with ransom demands sometimes exceeding $9 million, capitalizing on their reputation for highly targeted and sophisticated attacks.

Notable victims include Southern Water, BionPharma, M&M Industries, coca Cola, Yellow Pages Canada, AgCo, Capita, ABB, Merchant Schmidt, Tag Aviation, Blount Fine Foods, and more.

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.