Back in June, Microsoft 365 Threat Intelligence Unit announced that it had uncovered an unusual ransomware campaign. The ransomware in question, dubbed BazaCall, involved not just infected files but human operators to facilitate the deception. Microsoft users were urged to be on the lookout for emails that invited recipients to call about either confirming or cancelling the subscription.
This week Microsoft renewed its warnings by urging additional vigilance concerning BazaCall, which has proven to be a much more serious threat than initially described. According to recent analysis, BazaCall ransomware can move rapidly from initial infection to a full-blown ransomware attack.
How BazaCall Works
Initial reports described the infection process this way: Victims received emails saying that a subscription was up for renewal, along with a phone number to a phony call center. When they called the number, human operators directed them to a website where they were told to download an Excel file, which included a malicious macro that downloaded the ransomware payload.
Microsoft noted that the sophisticated campaign succeeded on the basis of convincing emails and fake call centers that gave the impression that the operation was legitimate. Further analysis showed that ransomware payloads, which sometimes included the Ryuk strain, could be deployed as rapidly as 48 hours.
Potent and Sophisticated
BazaCall successfully avoids traditional forms of malware protection. Its operators do not send suspicious links in phishing emails or attachments that contain malicious code. The emails these operators do send have the appearance of legitimate correspondence, and the use of human operators under the guise of a call center further serves to allay victims’ fears of a potential scam.
“Hands-on-keyboard control further makes this threat more dangerous and more evasive than traditional, automated malware attacks,” Microsoft has said. Office 365 users in particular have been convinced by BazaCall campaigns that their version of the software is a demo version that will expire and require a fee unless cancelled.
Malware and ransomware threats constantly evolve. Cybercriminals modify their methods of attack based on new technological advances and new methods for avoiding detection. The best way to avoid infection is to have a data security strategy that includes best practices for basic digital hygiene and tested protocols for how data is stored and handled within your organization.
Through its line of FIPS-validated and hardware-encrypted storage devices, remote drive management capabilities, and endpoint security technology, SecureData gives its customers tested and comprehensive utilities to prevent malware and ransomware infection and to assist in incident response when network infection occurs.