Ransomware Gangs Are Posing as Tech Support

Ransomware gangs have recently begun posing as tech support to infiltrate networks and carry out malicious activities. These groups have been exploiting Microsoft services and tools, such as Microsoft Teams, for initial access and subsequent attacks. Security experts warn that this evolving strategy is part of a larger effort to deceive organizations and evade detection.

Recent findings from the Sophos’ Managed Detection and Response (MDR) team revealed two active ransomware campaigns using sophisticated social engineering techniques. In both campaigns, the threat actors would spam the organization with thousands of emails. Then, they would reach out to the organization via Microsoft Teams, posing as tech support. The victim would then be directed to give the threat actor remote access to their device — once done, the threat actor would infect the device with malware.

By leveraging trusted platforms, attackers increase the likelihood of their messages being opened. According to the report, this trend showcases a shift in the threat landscape, with ransomware groups focusing on tools that victims already use and trust.

A separate investigation by The Record identified a Russian-based hacking group to be behind some of the attacks. They would use voice or video Microsoft Teams calls to contact the victim. This “vishing” technique — voice phishing — is particularly effective because it uses a more personal form of interaction, increasing its credibility in the eyes of victims. Even savvy users can fall victim to this approach if they aren’t vigilant.

In its report, Sophos stated: ““Organizations should raise employee awareness of these types of tactics — these aren’t the types of things that are usually covered in anti-phishing training. Employees should be aware of who their actual technical support team is and be mindful of tactics intended to create a sense of urgency that these sorts of social-engineering driven attacks depend upon.”