When the Ransom Note Is a Distraction

Thirty-six organizations showed up on the Chaos ransomware leak site in the first three months of 2026. Most of them were American. Their security teams did what security teams do when ransomware hits: they activated their incident response plans, engaged legal counsel, started restoration from backups, and weighed whether to negotiate. Some of them probably paid.

They were responding to the wrong attack.

What Actually Happened

In early 2026, Rapid7's incident response team was called to investigate what appeared to be a standard Chaos ransomware intrusion. The initial access looked familiar — too familiar. The attackers hadn't exploited a vulnerability or sent a phishing email with a malicious attachment. They'd called the victims on Microsoft Teams.

The attack started with a mail bomb. Attackers flooded target employees' inboxes with hundreds of junk messages in a short window — enough to make the inbox unusable and create genuine panic. Then, minutes later, a Microsoft Teams message appeared from an external account claiming to be IT support, offering to help fix the problem they'd just created.

This is vishing — voice phishing through collaboration platforms — and Microsoft's own Detection and Response Team (DART) documented the pattern in a March 2026 blog post. What DART described as a general trend, Rapid7 linked to a specific actor.

The attackers initiated screen-sharing sessions through Teams. With the victim watching, they navigated to internal systems, ran what appeared to be diagnostic commands, and then asked the employee to type their corporate credentials into a Notepad window on their own machine. Not into a login page. Not into a form. Into a local text file, while the attacker watched through screen share.

I want to sit with that for a second. A state-sponsored hacking group, operating under Iran's Ministry of Intelligence, convinced corporate employees to type their passwords into Notepad — while the attacker watched. No exploit. No malware. Just a convincing voice and a manufactured crisis.

In other cases, the attackers directed victims to spoofed web forms disguised as Microsoft Quick Assist authentication pages, harvesting credentials through a more conventional phishing mechanism. Either way, the result was the same: valid corporate credentials, sometimes including MFA tokens, obtained through social engineering conducted entirely over a platform that most organizations treat as a trusted internal channel.

Once inside, the attackers deployed AnyDesk for persistent remote access, executed discovery and lateral movement using standard administrative tooling, and exfiltrated data. Then they deployed Chaos ransomware, posted the victims on the Chaos leak portal, and sent extortion emails.

From the outside, it looked like ransomware. That was the point.

The Mask Slipped

Rapid7's investigation found something that didn't fit the ransomware-as-a-service model. A binary named ms_upd.exe, used during the intrusion, was signed with a code-signing certificate registered to "Donald Gay." That name is not a person. It's a known indicator — a certificate identity that has appeared repeatedly in MuddyWater operations, specifically tied to a CastleLoader downloader variant called Fakeset.

MuddyWater is the industry designation for an Iranian threat group operating under Iran's Ministry of Intelligence and Security (MOIS). Other tracking names include Mango Sandstorm (Microsoft), Seedworm (Symantec), and Static Kitten (CrowdStrike). They've been active since at least 2017 and historically focus on intelligence collection against government, defense, telecom, and energy targets across the Middle East, South Asia, and increasingly the United States.

The "Donald Gay" certificate, along with its companion "Amy Cherne" identity, forms a distinct infrastructure cluster that Check Point Research and other firms have linked to MuddyWater's broader "Operation Olalampo" campaign targeting U.S. organizations in early 2026.

This was not a criminal ransomware operation. It was an Iranian state-sponsored espionage campaign wearing a ransomware costume.

Why the Disguise Changes Everything

The distinction between ransomware and espionage isn't academic. It changes everything about how you respond.

When ransomware hits, the response focuses on containment, restoration, and a negotiation decision. You isolate affected systems, restore from backups, assess the blast radius of the encryption, and decide whether the data loss or operational disruption justifies paying. The attacker's objective is straightforward: money. Your response is about limiting the financial damage.

When espionage hits, the encryption is theater. The attacker's objective was already achieved before the ransomware ever ran. They've exfiltrated your data — intellectual property, business communications, strategic documents, whatever they were after. Restoring from backups doesn't undo the data theft. Paying the ransom is irrelevant to the actual damage. The real incident response work is understanding what was accessed, what was taken, and what the downstream exposure looks like — a fundamentally different exercise from ransomware recovery.

If your IR team treated this as a ransomware incident and declared recovery complete after restoring systems, they missed the point entirely. The attacker got what they came for, used the ransomware to obscure that fact, and walked away while you were focused on the wrong problem.

This is the core of the false flag strategy. As Rapid7 put it: "The use of a RaaS framework in this context may enable the actor to blur distinctions between state-sponsored activity and financially motivated cybercrime, thereby complicating attribution." It works because ransomware is so common that incident responders are primed to classify it as the default explanation for any intrusion that ends with encrypted files.

The Teams Problem

The access vector deserves separate attention. MuddyWater didn't exploit a software vulnerability. They didn't send a phishing email. They used Microsoft Teams — a platform that most organizations leave wide open to external communications by default.

Microsoft Teams federates by default. Unless your admin has explicitly restricted external access, anyone with a Microsoft or Entra ID account can send you a Teams message. That includes attackers using throwaway tenants registered under generic names like "IT Support" or "Help Desk." The message arrives in the same interface as legitimate internal communications. There's a small banner noting the sender is external, but in the context of a flooded inbox and an employee who wants the problem fixed, that banner is invisible.

Microsoft has documented this attack pattern repeatedly. Their March 2026 DART blog described attackers convincing employees to grant remote access through Quick Assist after impersonating IT support via Teams. In April, Microsoft published a second blog specifically covering cross-tenant helpdesk impersonation leading to data exfiltration. The pattern is established. The mitigations are known. Most organizations haven't implemented them.

The fix requires proactive configuration that most orgs haven't done. Teams external access needs to be restricted to an allowlist of trusted domains. Quick Assist needs to be disabled on endpoints where it's not required for IT support. Remote access tools need to be inventoried and anything not actively used by IT should be blocked via application control.

These changes reduce convenience. Restricting external access means employees can't easily chat with partners, vendors, and clients on different Microsoft tenants. Disabling Quick Assist means your help desk needs a different remote support tool. These are real trade-offs. Most organizations have chosen convenience, and attackers have adjusted accordingly.

What Iran Gets Out of This

MuddyWater's shift toward false flag ransomware operations fits a broader pattern in Iranian MOIS operations. Check Point Research documented in March 2026 that Iranian MOIS actors are increasingly operating as customers of Russian and Eastern European malware-as-a-service platforms — using criminal infrastructure to provide plausible deniability for state-directed operations.

The logic is straightforward. If your espionage operation looks like a ransomware attack, the victim organization treats it as a criminal matter. They engage their cyber insurance. They negotiate with what they think is a financial extortionist. They may not report it to government counterintelligence agencies because they've classified it as a crime, not an act of espionage. The intelligence collection goes unreported, uninvestigated, and unattributed.

For a mid-size intelligence service competing against larger operations like China's MSS or Russia's SVR, this is an efficient strategy. You piggyback on the infrastructure and reputation of criminal ransomware ecosystems, conduct your actual intelligence operations under their cover, and let the victims respond to the wrong threat.

The 36 Chaos victims are the visible ones. How many organizations have been hit by state-sponsored espionage that they classified as criminal ransomware — and never looked deeper?

That number is unknowable. Which is exactly the point.

What to Do

1. Restrict Microsoft Teams external access. In the Teams admin center, switch external access from the default open federation to an allowlist of trusted domains. This is the single highest-impact change against this specific attack pattern.

2. Disable Quick Assist on endpoints that don't need it. Use Group Policy or Intune to remove or block Quick Assist. Your actual IT help desk should use a tool that requires pre-authentication, not one that allows anonymous screen sharing.

3. Inventory every remote access tool in your environment. AnyDesk, TeamViewer, LogMeIn, ConnectWise ScreenConnect — if your IT team doesn't actively use it, it should be blocked by application control policy. MuddyWater deployed AnyDesk for persistence because nothing stopped them.

4. Train employees on vishing through Teams. Most security awareness training focuses on email phishing. Teams-based social engineering is real-time, conversational, and feels like talking to a colleague. Employees need to know that IT support will never ask them to type credentials into a text file, and that external Teams messages should be treated with the same suspicion as cold calls from unknown numbers.

5. Treat ransomware as a possible cover story. If your IR investigation finds ransomware, don't stop there. Check for data exfiltration that predates the encryption. Check for persistence mechanisms that don't match the ransomware group's known toolkit. Check for signed binaries with unexpected certificate identities. If anything doesn't fit the criminal model, escalate to CISA or your national CERT.

6. Hunt for specific indicators. The "Donald Gay" and "Amy Cherne" code-signing certificates are known MuddyWater infrastructure markers. If you're reviewing past incidents, search your endpoint logs and code-signing caches for these identities. Finding one doesn't confirm MuddyWater attribution on its own, but it warrants a closer look at what else happened during that intrusion.

The Uncomfortable Part

The hardest thing about false flag operations is that they exploit the assumptions IR teams need to work quickly. When ransomware hits, you don't have time to investigate whether it might really be a nation-state operation. You need to contain and restore. The false flag works precisely because the urgency of the ransomware response crowds out the slower, more methodical investigation that would reveal the espionage underneath.

There's no clean answer to this. You can't treat every ransomware incident as potential espionage — nobody has the resources. What you can do is build in a post-incident review that specifically asks: does everything about this intrusion fit the criminal model? Are there tools, techniques, or infrastructure that don't match the group that claimed credit? Does the exfiltration pattern look like financial extortion, or does it look more like intelligence collection?

If something doesn't fit, it probably isn't what it looks like.

Sources: Rapid7, The Hacker News, BleepingComputer, Microsoft Security Blog — DART, Check Point Research, Infosecurity Magazine