🎯Basically, hackers are tricking company leaders into installing software that gives them control over their computers.
What Happened
Suspected former affiliates of the notorious Black Basta ransomware group are ramping up their attacks on senior executives through sophisticated social-engineering tactics. These attacks primarily utilize Microsoft Teams for phishing, aiming to deploy remote monitoring and management (RMM) software. According to a recent report by ReliaQuest, the volume of these attacks has significantly increased in 2026, with a notable focus on company leadership.
Who's Being Targeted
The attackers are increasingly focusing on senior-level staff, with 77% of the attacks in March 2026 directed at executives. This marks a sharp rise from 59% in January and February. The sectors most affected include manufacturing and professional, scientific, and technical services (PSTS), which together account for over a quarter of the victims. Other heavily targeted industries include finance, insurance, construction, and technology.
How It Works
The attack typically begins with "email bombing," where the targeted executive receives a barrage of emails. Following this, they receive a Teams message purportedly from IT support, offering assistance with the disruptive spam. The attackers have automated this process, sending messages to multiple staff members within seconds, increasing the likelihood of success.
Once engaged, the attacker convinces the victim to install RMM software, such as Supremo Remote Desktop or to use Windows Quick Assist, which is preinstalled on Windows 11 machines. After gaining access, the attackers execute malicious scripts disguised as legitimate email tools, like "MailAccountWizard.jar." While no ransomware deployment has been observed in these incidents, the behavior aligns with pre-ransomware staging tactics seen in previous Black Basta attacks.
Tactics & Techniques
The similarities in tactics, techniques, and procedures (TTPs) suggest that these attackers are either former Black Basta affiliates or closely collaborating with another group. The use of social engineering, RMM tools, and targeting of specific sectors indicates a high level of familiarity with Black Basta's operational playbook.
Defensive Measures
As these attacks on senior executives increase, organizations are urged to conduct targeted training for their leadership. This includes simulations that mimic Teams phishing attacks and educating employees on verifying the identity of help desk staff through multiple channels. Additionally, companies should consider restricting the execution of RMM tools to only allow-listed applications and authorized IT personnel.
In summary, the resurgence of Black Basta-linked tactics poses a significant threat to organizational security, particularly for executives who have greater access to sensitive systems. Organizations must be proactive in their training and security measures to mitigate these risks.
🔒 Pro insight: The shift towards targeting executives highlights a strategic pivot in ransomware tactics, emphasizing the need for enhanced security protocols at leadership levels.
