Black Basta Archives

Tech Optimizer

November 2, 2025

Hackers Exploit Fake Microsoft Teams Ads to Deploy Rhysida Ransomware

Cybercriminals are deploying deceptive ads for Microsoft Teams that lead users to malicious software downloads, including ransomware like Rhysida’s OysterLoader. These ads appear prominently in search results and redirect users to counterfeit websites. The malware, often disguised as the legitimate Teams application and signed with counterfeit certificates, can evade antivirus detection and compromise systems. Microsoft has revoked over 200 compromised certificates to disrupt these campaigns and issued warnings about downloading software from unverified sources. The rise of these attacks targets collaboration tools, particularly amid the remote work trend, with hackers exploiting platforms like Teams for espionage and credential theft. Experts recommend navigating directly to official websites and implementing strong endpoint protection to combat these threats.

Winsage

September 12, 2025

FTC should investigate Microsoft after Ascension ransomware attack, senator says

A U.S. senator, Ron Wyden, has requested an investigation by the Federal Trade Commission (FTC) into Microsoft's role in a ransomware attack on Ascension Health, alleging "gross cybersecurity negligence." The attack, which occurred in 2024, involved hackers using a method called "Kerberoasting" to exploit Microsoft’s Active Directory server, taking advantage of the outdated RC4 encryption standard. Wyden criticized Microsoft for not making the more secure Advanced Encryption Standard (AES) the default option in Windows and for failing to adequately warn customers about vulnerabilities related to Kerberoasting. Microsoft acknowledged that RC4 is outdated but stated that disabling it could disrupt customer systems. The company plans to disable RC4 by default in new installations of Active Directory Domains using Windows Server 2025 by early 2026. Wyden noted that the ransomware attack originated from a malicious link clicked by a contractor while using Microsoft’s Bing, leading to malware installation and subsequent ransomware deployment across Ascension’s systems. The attack severely impacted Ascension's operations, forcing its 140 hospitals to revert to manual processes for weeks and compromising sensitive data of nearly 6 million individuals. Patients in Texas, Illinois, and Tennessee have filed class action lawsuits against Ascension due to the breach. The Black Basta ransomware gang has been implicated in the attack, although they have not claimed responsibility.

Winsage

September 12, 2025

Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence

U.S. Senator Ron Wyden has urged the Federal Trade Commission (FTC) to investigate Microsoft for "gross cybersecurity negligence" linked to ransomware attacks on critical U.S. infrastructure, particularly in healthcare. Wyden's concerns were highlighted in a letter to FTC Chairman Andrew Ferguson, referencing a ransomware attack on Ascension that compromised personal and medical information of approximately 5.6 million individuals. The breach was initiated by a contractor clicking a malicious link on Microsoft's Bing, leading to exploitation of insecure default settings in Microsoft software. Wyden criticized Microsoft's use of the outdated RC4 encryption technology, which is vulnerable to attacks, and noted that Microsoft's software does not enforce a minimum password length for privileged accounts. Microsoft plans to phase out support for RC4 and implement additional security measures in future updates. The scrutiny follows previous criticisms of Microsoft's cybersecurity practices, including a report from the U.S. Cyber Safety Review Board.

Winsage

September 12, 2025

Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence

U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to investigate Microsoft for "gross cybersecurity negligence" linked to ransomware attacks on U.S. healthcare networks. In a letter to FTC Chairman Andrew Ferguson, Wyden expressed concerns about Microsoft's cybersecurity practices and its dominant market position, which he believes pose a national security risk. He referenced a ransomware attack on the healthcare system Ascension that affected 5.6 million individuals, attributed to the Black Basta group, and noted that the breach was initiated by a contractor clicking a malicious link on Microsoft's Bing search engine. The attackers exploited insecure default settings in Microsoft software, using a method called Kerberoasting that targets the Kerberos authentication protocol. This method takes advantage of the outdated RC4 encryption technology, which Microsoft still supports. Wyden criticized Microsoft's lack of adequate warnings about the risks associated with RC4 and pointed out that the software does not enforce a minimum password length of 14 characters for privileged accounts. Microsoft plans to phase out RC4 in future updates, with new installations of Active Directory Domains using Windows Server 2025 set to have RC4 disabled by default starting in Q1 of 2026. Additionally, a report from the U.S. Cyber Safety Review Board highlighted preventable errors that allowed Chinese threat actors to compromise Microsoft Exchange Online mailboxes. Despite these cybersecurity issues, Microsoft continues to secure lucrative federal contracts.

Winsage

September 1, 2025

Hackers Leverage Windows Defender Application Control Policies to Disable EDR Agents

Cybercriminals are using Windows Defender Application Control (WDAC) policies to disable Endpoint Detection and Response (EDR) agents, creating vulnerabilities in corporate security. Ransomware groups like Black Basta have adopted this method, which evolved from a proof-of-concept tool called "Krueger" into real malware named "DreamDemon." Attackers manipulate the C:WindowsSystem32CodeIntegritySiPolicy.p7b file to implement malicious WDAC policies that block EDR executables during system startup. The technique involves a four-step process: loading the policy, placing it in the CodeIntegrity directory, hiding the policy file, and creating decoy log files. DreamDemon samples, written in C++, exhibit enhanced stealth and target major EDR vendors. Detection efforts focus on monitoring specific registry keys and analyzing file signatures. Despite awareness of this threat, EDR vendors have not implemented sufficient preventative measures, leaving systems exposed.

Winsage

July 24, 2024

Windows SmartScreen Flaw Enabling Data Theft in Major Stealer Attack

The attack chain begins with a phishing email containing a malicious link that downloads an LNK file, which then executes an HTA script that decodes a payload. Two types of shellcode injectors are used to inject a final stealer into legitimate processes. The stealer deployed can target various applications and is tailored to specific regions. Implementing Microsoft's latest security updates is crucial to stay protected against the CVE-2024-21412 vulnerability.

Winsage

July 17, 2024

Security End-Run: ‘AuKill’ Shuts Down Windows-Reliant EDR Processes

FIN7 developed AuKill, an anti-security tool designed to undermine endpoint security, which has been used by ransomware groups in their attacks. AuKill targets protected processes monitored by EDR solutions using time-travel debugging and Process Explorer drivers, causing crashes in targeted systems. Organizations are advised to strengthen their security solutions with anti-tampering protections to defend against kernel-mode attacks.

Winsage

July 1, 2024

Urgent! Update Windows 10 PCs Before July 4th to Avoid Security Risks

- Some Windows 11 users are experiencing unexpected reboot loops after a recent update (KB5039302) - Microsoft advises affected users to perform recovery operations to restore normal operation - The issue primarily affects corporate machines with specific features, so home users are unlikely to be impacted - Microsoft continues to encourage users to upgrade to Windows 11 to ensure system security and compliance

Winsage

June 29, 2024

Microsoft Windows Deadline—You Must Update Your PC By July 4

Some Windows 11 users are facing a restart loop issue after installing the June update KB5039302. This issue mainly affects enterprise machines running virtual machines tools and nested virtualization features, so home users are less likely to be impacted. The update is not mandatory and not a security update, so users should proceed with updating as usual. Windows 10 end-of-life is approaching on October 14, 2025, and users are urged to upgrade to Windows 11 to continue receiving security updates and technical support.

Winsage

June 28, 2024

Microsoft Windows Deadline—Update Before July 4

Windows users are urged to update their systems before July 4 deadline to reduce the risk of cyberattacks.