Storm-1811 scammers exploit quick assist in Windows 11 ransomware spree

The dangerous group of scammers, Storm-1811, has started using the Quick Assist tool in Windows 11 for ransomware campaigns. These attacks begin with vishing. Victims are convinced to provide the access code to their computers. Then, the data is encrypted, and scammers demand a ransom.

Scammers use social engineering to deceive users, convincing them to connect to their computers to perform supposed service actions. Similar attacks in Poland are known using applications such as AnyDesk and TeamViewer. The scenario of these scams often involves impersonating police officers, bank employees, or investment advisors. Therefore, it is worth thinking twice before agreeing to any such connection.

In this discussed case, the Quick Assist application is presented as an essential technical support tool to secure the victim's computer, as Microsoft has informed.

Quick Assist is an application built into the Windows 11 system, allowing remote connections to the computer to perform advanced operations that the user cannot handle. Thanks to short, one-time codes, two computers can connect regardless of location, allowing one person to take control of the other's system. Although this tool is helpful, it can be exploited by scammers.

They use this mechanism to upload malicious software onto the victim's computer, which eventually activates the Black Basta ransomware. This type of ransomware has been operational since 2022 and mainly targets countries outside Europe, although there are cases on our continent as well. The criminals' goal is to gain access to sensitive data, encrypt it, and then demand ransom under the threat of data publication online. Unfortunately, this type of scam is becoming increasingly popular.

In the face of such threats, it is worth reminding everyone about the basic principles of internet safety. The key is limited trust, which—as this situation shows—should always be applied, even when someone offers necessary technical help through a remote connection to your computer. Never share access codes or confidential information with individuals whose identities you cannot verify.