This article is meant for end users, employees, and IT teams working in Windows environments who may be targeted by unsolicited remote support requests. It focuses specifically on social-engineering and voice-phishing attacks that abuse Windows Quick Assist, rather than on ransomware payload analysis or broader malware remediation.
Black Basta, a global ransomware campaign, has been known to abuse Windows Quick Assist to gain control over targeted victim’s machines. Windows Quick Assist is a remote view/control application built right into Windows for use by technical professionals while providing remote assistance that can allow an outside party to gain control over your machine.
Once control is established the ransomware payload is delivered and the attack begins.
What should you be on the lookout for?
Here is typically how they abuse Windows Quick Assist:
Attackers will subscribe the targets email address to multiple subscription services flooding the targets inbox with unsolicited emails. The attackers then call the target victim and impersonate either Microsoft technical support or internal it support from the target’s company.
The attackers offer help to remediate the spam and walk the target through the steps to allow control via Windows Quick Assist. This is a type of attack known as “Voice Phishing”, as the attackers are on the phone white attempting to coerce the target into allowing remote access and providing login credentials.
If you are experiencing a sudden uptick of subscription spam in your email, please contact your designated IT staff for assistance. Never trust unsolicited support calls.
ALWAYS verify who you are speaking with. Whether its it support-related or not you should always be 100% certain of what you are being asked to do and who is requesting you to do it. If you ever feel even a moments hesitation or have one iota of doubt, STOP what you are doing and contact someone you trust immediatly.
As always, GCS is here to help if you have any questions about this or other security questions.
FAQ: Black Basta Ransomware and Windows Quick Assist Abuse
What is Windows Quick Assist and why do attackers abuse it?
Windows Quick Assist is a built-in Windows tool that allows remote screen viewing and control. Attackers abuse it because it’s trusted, pre-installed, and doesn’t always raise security alarms.
How does the Black Basta attack typically start?
Attackers flood a victim’s inbox with subscription spam, then call the victim pretending to be Microsoft or internal IT support to “help” resolve the issue.
What is voice phishing (vishing)?
Vishing is a social engineering attack where criminals use phone calls to pressure victims into granting access, sharing credentials, or installing tools like Quick Assist.
What are the warning signs of this type of attack?
Unsolicited support calls, sudden spam floods, urgency, pressure to act quickly, requests to enable remote access, or instructions that bypass normal IT processes.
How can organizations reduce the risk of Quick Assist–based attacks?
By training employees to never trust unsolicited support calls, enforcing strict verification procedures, limiting remote access tools, and encouraging employees to stop and report anything suspicious.