Russian Cyber Gangs Posing as IT Support on Microsoft Teams to Launch Ransomware Attacks
Russian cybercriminal groups are masquerading as remote IT support workers on Microsoft Teams in an audacious new hacking campaign, cybersecurity experts have warned. According to a recent report by cybersecurity firm Sophos, these gangs bombard employees with thousands of spam emails before reaching out to “solve” the issue via Teams, ultimately tricking their victims into granting remote computer access.
Once given access, the attackers install malicious software designed to steal data, freeze computer systems, and hold organizations to ransom. Sophos linked this fast-spreading campaign to the Russian criminal groups known as Fin7 and Storm-1811. The firm noted a spike in incidents, with the tactic being used 15 times in the last three months and 8 times in the last fortnight.
“Microsoft Teams’ default configuration allows individuals outside an organization to chat with or call internal staff at a company, and attackers are abusing this feature,” said Sean Gallagher, Principal Threat Researcher at Sophos.
“Since many companies use managed service providers for their IT support, receiving a Teams call from an unknown person labeled as ‘help desk manager’ may not raise suspicions, especially if it coincides with an overwhelming amount of spam email. We want companies using Microsoft 365 to be on high alert.”
Malicious Spam and Ransomware
Sophos says these cybercriminals begin by sending around 3,000 spam messages in an hour to targeted employees. Soon after, an attacker posing as an IT support worker contacts the victim through Teams, offering to address the spam deluge. Under the guise of fixing the problem, the hackers persuade staff to grant remote access to their computers.
With the door opened, the criminals install ransomware, a type of malicious software that both encrypts data and can exfiltrate sensitive information. Victims are then forced to pay to regain access to their systems, or to prevent the stolen data from being released publicly.
Government’s Stance on Ransomware Payments
The rise in ransomware attacks has prompted the UK Government to consider banning ransom payments. Under proposals announced earlier this month, public sector organizations and critical infrastructure providers—such as utilities, transport, and healthcare—would be prohibited from paying ransoms to cybercriminals.
The move aims to deter criminals from targeting UK institutions in the first place. However, previous research suggests that eight in 10 British firms targeted by ransomware attacks have paid up, hoping to secure a quick resolution and recover their compromised data.
What Companies Should Do
Security experts warn that businesses must implement stronger cybersecurity practices, including:
- Restricting External Access: Adjust Microsoft Teams settings to limit direct communication from outside an organization.
- Employee Training: Educate staff about phishing campaigns and social engineering tactics, so they can spot and report suspicious messages or calls.
- Incident Response Plans: Develop and rehearse robust protocols for responding to cyberattacks, including isolating affected systems and notifying the proper authorities.
- Regular Backups: Frequently back up critical data and store it securely offline to minimize the damage from a ransomware attack.
As hackers continue to refine their tactics, organizations are urged to stay vigilant and invest in comprehensive security measures. While Microsoft Teams has been a vital tool for remote work, especially during the pandemic, its broad accessibility has also made it an attractive target for cybercriminals.
Companies are encouraged to contact cybersecurity experts if they suspect they have been approached by fraudulent IT support workers or are experiencing a surge in spam messages followed by suspicious communications on Teams.
To empower individuals and businesses in the fight against cybercrime, TheHackAcademy offers a range of online courses designed to demystify cybersecurity and equip learners with practical skills to protect themselves and their organizations. From spotting phishing scams to defending against ransomware attacks, these accessible courses cater to all levels of expertise—whether you’re an IT professional or simply looking to enhance your personal online safety. With expert-led lessons and hands-on simulations, TheHackAcademy provides the tools you need to stay one step ahead of cybercriminals in today’s digital landscape. Learn more and start your journey to cyber resilience at TheHackAcademy.com.