Microsoft and cybersecurity firm Rapid7 have uncovered a social engineering campaign by Storm-1811 that exploits Windows Quick Assist to deploy Black Basta ransomware.

The attackers conduct email bombing, then pose as Microsoft support or IT staff to gain device access, followed by downloading malicious payloads and using PsExec for ransomware deployment.

Rapid7 discovered that the attackers collect credentials using batch scripts, which are then sent back to their server.

Black Basta ransomware, active since April 2022, has affected over 500 organizations and extorted over $100 million in ransoms from more than 90 entities by November 2023.

Cybersecurity authorities like CISA, the FBI, and Health-ISAC have issued warnings, with the healthcare industry being a significant target.

Microsoft recommends blocking or uninstalling Quick Assist, educating employees on tech support scams, and ensuring access to devices is only granted to verified individuals to mitigate such attacks.