In recent months multiple high-profile large companies in the US have fallen victim to ransomware attacks. In at least two high-profile cases, the company has paid out millions of dollars to the attackers to get their data back. As hackers make more money using ransomware tactics, the incidence of attacks increases. Microsoft is now warning users to beware of phishing emails that attempted to trick them into downloading ransomware software.
Microsoft cybersecurity researchers are looking for a criminal organization called BazarCall. The criminal group is using call centers to infect computers with malware called BazarLoader, which has been used to distribute ransomware. The group behind the ransomware has been active since January and is notable for using call center operators to guide victims to install their software on a Windows PC.
Once installed, the malware provides backdoor access into the Windows PC, allowing the criminals to send follow-up malware, scan the environment, and exploit other vulnerable hosts on the network. The attack typically starts with a phishing email advising the victim that a trial subscription to software on their computer was expired and that they would be charged automatically unless they called to cancel the trial.
Microsoft is focusing on the emails sent by the group targeting office 365 users. If the user calls the number in the email, a fraudulent call center the attackers operate instructs the victim to visit a website and download an Excel file to cancel the service. Inside that downloaded file is a malicious macro that downloads the payload allowing the ransomware to be installed.
The group is also known to use the Cobalt Strike penetration testing kit to steal credentials, including stealing data from the Active Directory database. Stealing Active Directory database content is a significant issue for enterprise users because it contains the organization’s identity and credential information.