For immediate assistance with a network intrusion, ransomware
attack, or BEC, please contact: IrongateResponse@irongatesecurity.com  

The adversaries deploying chaos ransomware have recently gained initial access to corporate networks by spoofing Microsoft Teams calls. The threat group has been observed to call potential victims via MS Teams from a spoofed email and once connected, the adversary represents they are from the helpdesk. The adversary’s intention is to socially engineer the victim to screen share via Teams and allow control enabling the adversary to download and install malware on the victim’s computer. Once the malware is installed, the adversary disconnects, only to return through their malware and deploy ransomware to the corporate network. 

• The user (victim) receives an unsolicited call appearing to be from corporate IT helpdesk. 
• The caller (adversary) tricks the user into allowing a screen share and enabling control by stating they need to install some updates, and it will only take a few minutes. 
• The caller (adversary) downloads malware to the user’s (victim) system to install a potential backdoor. 
• Once installation is successful, the caller (adversary) disconnects. 
• Moments later, the adversary returns through the backdoor to deploy ransomware. 

Notable Observations:

• The time from the initial call to deployment of ransomware has been observed to be short, only a few hours. 
• Average ransom demand for Chaos is $3,750,000, average payment is $807,500, average negotiated discount is approximately 78%. 
• Victim organizations have been observed to have hundreds of employees to several thousand across multiple industries including Insurance, Engineering, and Real Estate

Mitigation Recommendations: 

• Educate your organization to verify the identity of unsolicited callers as well as your organizations procedures for how IT will initiate contact to the employees. 
• Review and scrutinize the callers email address to identify mistyped email domains. 
• Ask the caller to “go on camera” and have them perform a series of actions to attempt to identify the use of deepfake technology. 
• Disconnect from the call with the unsolicited caller and call IT directly from a trusted phone number or contact method. 
• IT can disable communications from external sources (this wouldn’t affect the use of Teams conference calls).

Contact us today to learn more about our Digital Forensics and Incident Response (DFIR) services.

Steve Ramey has spent the past two decades helping clients protect, investigate, and respond to events involving their digital interests. He has led hundreds of data breach investigations, assessed incident response and security programs, and successfully advised organizations through extortion negotiations.