Recently, organizations have been confronted with a new ransomware method that is particularly sophisticated. It’s important to be aware of this tactic to protect yourself and your organization. Here are the details and specific recommendations for action:
The new scam
Attackers use a multi-stage method:
- Initial contact: Contact details of the target persons are collected by telephone.
- Spam attack: Users are flooded with thousands of spam messages via e-mail or Teams.
- Fake IT calls: The attackers call and pretend to be IT support to offer help with spam removal.
- Quick Assist as a backdoor: They use Microsoft Quick Assist to gain remote access to the system via a 6-digit PIN. While apparently solving the spam problem, they install an SSH backdoor.
- Further steps: The system is handed over to another team, which spreads laterally across the network, exfiltrates data and finally encrypts the systems.
Two important findings:
- Report spam attacks to IT immediately and do not accept blind offers of help. Verify every call, even if it appears to come from IT.
- Check and deactivate Microsoft Quick Assist.
- Quick Assist is installed as standard in Windows 10 and 11 (including Professional and Enterprise) and can bypass firewalls and VPNs.
- To check whether Quick Assist is active: Press the Windows key, enter “Quick” and search for “Quick Assist”.
- Remove Quick Assist centrally: It is a security risk that attackers can easily exploit.
