A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick Assist

MITRE Techniques

• [T1566.002] Phishing: Spearphishing Link – Attackers conducted “email bombing” with multiple unsolicited emails to overwhelm the target, facilitating social engineering (‘Employee received 24 unsolicited emails within a 3-minute period’).
• [T1204.002] User Execution: Malicious File – The victim was tricked into allowing remote access via Microsoft Quick Assist during a phone call spoofing the IT department (‘Using the emails as a pretext, the threat actor socially-engineered the employee to grant them remote access’).
• [T1610] Deploy Container – Attackers deployed a QEMU virtual machine on the compromised host to isolate malicious activity and connect to the network (‘launched a Windows 7 virtual machine within the Qemu emulator’).
• [T1105] Ingress Tool Transfer – Used a spoofed domain to download malware payloads from Google Drive and a one-time SMS service (‘navigated to msquick[.]link which redirected to 1ty[.]me… containing UpdatePackage_excic.zip’).
• [T1021.002] Remote Services: SMB/Windows Admin Shares – The ransomware batch file attempted to map C$ shares across 88 hosts to propagate (‘start 1l L.exe … -p [host IP address]c$’).
• [T1078] Valid Accounts – Attackers created and used local administrator accounts for persistence and lateral movement (‘created local administrator account [SupportUser] and used Remote Desktop to access servers’).
• [T1106] Native API – Used WMIC and PowerShell commands to execute payloads and perform discovery across systems (‘wmic product where “name=Duo Authentication” call uninstall’, ‘PowerShell commands for discovery and lateral movement’).
• [T1041] Exfiltration Over C2 Channel – Data exfiltrated via GoodSync to a cloud provider Backblaze (‘uploaded approximately 868 GB of data to Backblaze’).
• [T1005] Data from Local System – Large data collection prior to exfiltration documented (‘stole data from the targeted organization’s network’).