Published on: March 5, 2025
Cybercriminals have ramped up ransomware attacks by abusing Microsoft Teams and Quick Assist, netting over $107 million in Bitcoin ransoms since October. Security researchers at Trend Micro recently uncovered campaigns by Black Basta and Cactus ransomware groups, both using a shared malware strain, QBACKCONNECT, to maintain persistent access.
“The majority of incidents occurred in North America, accounting for 21 breaches, followed by Europe with 18. The US was the hardest hit, with 17 affected organizations, while Canada and the UK each had five breaches,” Trend Micro’s team said. “In terms of Black Basta’s impact across industries, manufacturing had the highest number of attacks with 10 victims, followed by financial and investment consulting and real estate, each with six victims.
“The attack chains’ methods might not be technically groundbreaking, but how they layer social engineering with the abuse of legitimate tools and cloud-based infrastructure enables them to blend malicious activity into normal enterprise workflows.”
These ransomware attacks rely on a mix of social engineering and abusing legitimate Microsoft tools. First, attackers flood victims’ email inboxes to create confusion, then impersonate IT support on Microsoft Teams using spoofed accounts. They trick employees into granting remote access through Quick Assist, allowing full control of the device.
Once inside, they deploy malware hidden in OneDrive using DLL sideloading—hijacking legitimate Windows processes to stay undetected. From there, they establish persistent access, steal credentials, and spread across the network, ultimately encrypting files and demanding ransom payments.
Black Basta’s tactics have been traced back to late 2023, while Cactus, composed of former Black Basta members, has evolved to target VMware ESXi hypervisors, disabling security to execute ransomware freely.
To combat these threats, Trend Micro advises disabling unauthorized remote tools, closely monitoring Teams activity, blocking known malicious IPs, and scanning for DLL sideloading attempts. With Black Basta potentially dissolving and Cactus growing in strength, experts warn that businesses must adopt stricter security measures to stay ahead of these evolving attacks.
Source of Article
