Russian Ransomware Groups Deploy Email Bombing and Teams Vishing

Security vendor Sophos reports two active campaign clusters (STAC5143 and STAC5777) using large-scale email bombing followed by Teams-based social engineering to convince corporate victims to grant remote access (Quick Assist, Teams screen sharing, RDP/WinRM). Observed activity includes Python malware with FIN7-like obfuscation, hands-on-keyboard post-compromise behavior, data exfiltration and extortion, and at least one deployment of Black Basta ransomware across ~15 incidents since November 2024; Sophos recommends tightening Teams/M365 settings, restricting remote-access tools, and updating employee awareness.