back to article Ransomware scum make it personal for Reg readers by impersonating tech support

Two ransomware campaigns are abusing Microsoft Teams to infect organizations and steal data, and the crooks may have ties to Black Basta and FIN7, according to Sophos. The antivirus maker's managed detection and response (MDR) team began investigating the two separate campaigns in November and December. Both of the ransomware …

  1. Guy de Loimbard Silver badge
    Stop

    Evolve or die

    The lengths that threat actors go to carry out their actions never ceases to amaze me.

    Stay vigilant and keep pushing the awareness and for goodness sake, invest in either solid well trained staff, or bring in external expertise that can support you.

  2. MOH

    This headline makes no sense, unless I've missed something. How is it specifically Reg related?

    1. Korev Silver badge
      Alien

      I was wondering the same...

      1. STOP_FORTH Silver badge
        IT Angle

        They despise their readers!

        I think the implication is that Reg readers are too sophisticated to fall for simple phishing approaches. We are, however, craven enough towards authority figures to fall for anything coming from someone in IT support.

        Possibly they also assume that many of us work in IT support and would have to clean up the resulting mess whilst suffering reputational damage.

        It's all hooey, my first virus infection came from an e-mail from some eejit in IT. I hate the feckers.

    2. Wang Cores

      At least I wasn't alone. Was scratching my head, thinking the actual IT people were seeing something I didn't.

    3. wub
      IT Angle

      Who are us, anyway?

      When I read the title, I expected that somehow Register readers, as a group, had been included in the targeting, somehow.

      Reading the article reassured me that we had not been singled out for the criminals' special attention - then I realized that what it may mean is that "impersonating IT" is impersonating US, since there are a fair few Register readers who work in IT, no?

    4. TeeCee Gold badge

      If I were to impersonate you and rip a load of people off, who do you think they would blame?

      Likewise, if some bunch of rancid shitstains impersonates your IT support team and.....(etc)?

  3. Pascal Monett Silver badge
    Stop

    Sangria Tempest or Carbon Spider

    Could we stop giving those criminal groups sexy names ?

    They're not hurricanes, they're scum.

    So, call them Scum0001, Scum0002, etc.

    They do not deserve more than that.

    1. Version 1.0 Silver badge
      Thumb Down

      Re: Sangria Tempest or Carbon Spider

      I agree, but we'll start seeing new apps like a Software Common Universal Media app recommended for a quick download ...

      This is not a joke, it's probably only the infected world these days.

  4. PATSYQB
    Happy

    You got me at....

    "....also abused a default Teams configuration that allows external users to initiate meetings or chats with internal ones"

    Why the fuck would anyone make that a default/global configuration? Just why?

    1. Guy de Loimbard Silver badge

      Re: You got me at....

      Good catch.

      There should be some serious inward reflection and thought as to why default configurations are so easy to overcome.... yes I'm looking at all the Software and Hardware slingers!

      Well because they come out the factory with the equivalent of Password123 credentials.

      FFS.... Secure by Design should really start to appear in OS/Software slingers too.

      There should be no "easy for end users" default configurations!

    2. Helcat Silver badge

      Re: You got me at....

      Unfortunately it can be necessary, particularly if you've external groups collaborating on a project. Then you find you have these mixed organisation meetings taking place.

      However, in such instances there should be pre-configuration work done to create a trusted channel or shared area.

      But for the initial meetings: That's where you'd have the risk as it's unlikely there's been time to set up the security.

      1. Kevin Johnston

        Re: You got me at....

        Or else you have an 'external' Teams zone setup specifically for this which allows meetings between different companies but which is fully isolated from your internal systems. If it is necessary to allow access to internal documents they can be emailed or whatever.

        If later on there is a need to allow a trusted channel then it can be configured at that point

        1. Acrimonius

          Re: You got me at....

          Often you are sharing a document or a spreadsheet and it can be easier to let others take control from time to time. This control can be the whole desktop and not just the active window/application as there is perhaps a need to switch between multiple documents.

    3. Mike007 Silver badge

      Re: You got me at....

      Find an organisation that uses Teams internally but never uses it for meetings with external users, and you have likely found quite a dysfunctional organisation.

      It's a bit like complaining that spam is only a problem because some people are stupid enough to let external people email them. If they didn't then they wouldn't have much use for email...

  5. andy the pessimist

    it being proactive.

    I've never had a proactive it person contact me. The best was use teams to report the problem. Usually the response was good. The worst is submit a ticket and get managers approval.

    This proactive call by it would be so unusual I would be really suspicious.

    1. Yet Another Anonymous coward Silver badge

      Re: it being proactive.

      It's a good target though.

      In a lot of small/remote offices there is a sort-of-IT person that corporate IT calls on for local stuff.

      A message from an account I recognize asking to reboot a local server or run an update or swap a network cable to a different switch port.

      How suspicious are they supposed to be and should their response be to demand a letter from the board first?

  6. Conrad Longmore

    We've seen these guys

    We've seen these guys.. they are really quick. User's mailbox gets hit by hundreds of email messages for things like web site sign-ups, newsletter subscriptions etc. Around 10-20 mins after the email bomb starts, the user gets a call via Teams from a fake IT department. You might see several victims getting the email bomb with only a few getting the phone call, worth checking in each case.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like