In late January 2025, a Managed Service Provider (MSP) administrator fell victim to a sophisticated phishing email that led to a ransomware attack on the MSP’s customers. The email, disguised as an authentication alert for their ScreenConnect Remote Monitoring and Management (RMM) tool, was cleverly crafted to deceive the administrator into clicking on a link that ultimately gave the attackers access to their credentials.
According to Sophos MDR’s threat Intelligence team, the attack was attributed to a ransomware affiliate known as STAC4365, which has been previously linked to phishing campaigns dating back to late 2022. The attackers used a fake ScreenConnect domain to trick the administrator into entering their credentials on a malicious phishing site masquerading as the legitimate login page. By intercepting the Multi-Factor Authentication (MFA) inputs, the attackers gained access to the administrator’s super administrator account, allowing them to deploy the Qilin ransomware.
Qilin is a Ransomware-as-a-Service program that has been operating since 2022, recruiting affiliates on Russian-language cybercrime forums. The ransomware is known for its data-leak site hosted on Tor, applying pressure on victims to pay the ransom by threatening to release sensitive data. The attackers in this incident launched a data-leak site named “WikiLeaksV2” to further intimidate their victims.
STAC4365, the group behind the phishing attack, has a history of using evilginx, an adversary-in-the-middle attack framework, to harvest credentials and bypass MFA. The phishing sites associated with STAC4365 have been targeting legitimate ScreenConnect URLs since November 2022, showing a pattern of activity focused on spoofing these URLs.
The attack chain following the initial phishing lure involved the deployment of a malicious ScreenConnect instance, network enumeration, user discovery, credential resetting, and exfiltration of data via WinRAR to an external site. The attackers took steps to evade detection, modify boot options, and deploy the Qilin ransomware across multiple customer environments.
Sophos Labs analyzed the ransomware binary used in the attack, noting its functionalities like disabling VSS service, deleting shadow copies, and setting a ransomware message as the wallpaper. Each customer environment impacted by the ransomware had a unique password associated with the execution of the ransomware binary, indicating a targeted approach by the attackers.
To defend against such attacks, organizations are advised to enhance phishing training for users, implement DMARC checks for incoming emails, restrict access to known managed devices, and deploy protections against safe boot restarts. Indicators of compromise for STAC4365 and Qilin can be found on Sophos’s GitHub page for reference.
Overall, the incident highlights the need for organizations to remain vigilant against evolving cyber threats and implement robust security measures to protect against ransomware attacks.