Black Basta Ransomware Group Affiliates Leveraging Windows Quick Assist for Initial Access

Since April 2024, Arctic Wolf tracked Black Basta affiliates conducting social-engineering campaigns (vishing, email bomb, and Microsoft Teams messages/calls) to trick users into granting remote control via Microsoft Quick Assist, then using downloaded tooling (Qakbot, ScreenConnect, NetSupport, Cobalt Strike, SystemBC) and PsExec to achieve persistence, lateral movement, and widespread Black Basta ransomware deployment; the bulletin provides detections and recommends uninstalling unused remote-assistance tools, security awareness training, and Teams safeguards.