Kasseika, a ransomware gang, has become the latest to leverage the Bring Your Own Vulnerable Driver assault to disable security-related processes on compromised Windows hosts, following groups such as Akira, AvosLocker, BlackByte, and RobbinHood.
Kasseika, identified by the cybersecurity firm in mid-December 2023, shares similarities with the now-defunct BlackMatter, which formed following DarkSide's disintegration.
Given that the source code of BlackMatter was never made public after its demise in November 2021, there is evidence to imply that the ransomware strain may have been created by an experienced threat actor who purchased or secured access to the code.
Kasseika attack chains begin with phishing emails to gain access, then drop remote administration tools to escalate privileges and propagate across the target network.
The threat actors have been spotted employing Microsoft's Sysinternals PsExec command-line tool to run a malicious batch script.
Not before it terminates all services and processes that are attempting to reach Windows Restart Manager.
The computer's wallpaper is subsequently modified to display a note requesting a 50 bitcoin payment to a wallet address within 72 hours, or risk paying an additional $500,000 every 24 hours once the deadline elapses.
A ransom note is then dumped in every directory that has been encrypted.
In order to acquire a decryptor, victims are required to send a screenshot of their successful payment to a Telegram channel that is managed by attackers.
The Kasseika ransomware also has additional tricks up its sleeve, such as wiping traces of activity from the system's event logs using the wevtutil.
This Cyber News was published on www.cysecurity.news. Publication date: Sun, 28 Jan 2024 14:13:05 +0000