Black Basta ransomware, a notorious cybercrime group, has recently resurfaced in the news for its new and alarming method of spreading file-encrypting malware through Microsoft Teams. Teams, a widely used messaging and collaboration app, has become a target for this group, which typically operates within the technology, finance, and public sector industries.
This tactic was first observed in October 2024, and it marks a shift in the groupās approach to deploying malware. Black Basta, active since April 2022, has previously relied on spam and social engineering techniques to spread its malicious software. However, the group has now adopted a more deceptive methodāposing as legitimate IT support personnel to interact with Teams users. By pretending to be a help desk operator or even a colleague requesting credentials for an urgent network login, the attackers trick victims into revealing sensitive login information, which is then used to infiltrate the network and deploy file-encrypting malware.
This new strategy represents a departure from older methods, such as phone calls to gather personal details. Instead, cybercriminals are now impersonating IT professionals or senior managers to steal credentials and install remote access tools.
Why Target Microsoft Teams?
The choice of Microsoft Teams as a target is strategic. The software is a staple for internal communication in corporate environments worldwide. Teams users often overlook the authenticity of incoming messages, particularly since the app is trusted within professional settings. As a result, some employees may unwittingly respond to malicious requests or follow instructions without verifying the source.
The Shift from Email Phishing
In 2023, Black Basta was also linked to email phishing campaigns that involved sending emails with embedded links directing recipients to malicious websites. These sites were designed to harvest sensitive information and deliver malware payloads.
Microsoft’s Advice
Microsoft has issued guidance for users to be cautious of suspicious messages, particularly those requesting sensitive information or financial transactions. If a message in Teams appears to ask for credentials or money transfers, users are advised to verify the sender’s identity through other channels, such as phone calls or email, before complying with the request.
Additionally, users should avoid clicking on any links from unknown senders, especially those impersonating IT staff or support personnel, as these can lead to phishing attacks.
