A recently uncovered ransomware operation named 'Kasseika' has joined the club of threat actors that employs Bring Your Own Vulnerable Driver tactics to disable antivirus software before encrypting files.
Kasseika abuses the Martini driver, part of TG Soft's VirtIT Agent System, to disable antivirus products protecting the targeted system.
According to Trend Micro, whose analysts first discovered and examined Kasseika in December 2023, the new ransomware strain features many attack chains and source code similarities with BlackMatter.
As BlackMatter's source code has never been leaked publicly since its shutdown in late 2021, Kasseika was likely built by former members of the threat group or experienced ransomware actors who purchased its code.
Kasseika attacks start with a phishing email sent to employees of the targeted organization, attempting to steal their account credentials, which will then be used for initial access to the corporate network.
Next, Kasseika operators abuse the Windows PsExec tool to execute malicious.
Bat files on the infected system and others they have accessed through lateral movement.
The presence of that driver is crucial in the attack chain, as Kasseika will not proceed further if the 'Martini' service creation fails or if 'Martini.
By using BYOVD attacks, aka exploiting flaws in the loaded driver, the malware gains the privileges to terminate 991 processes from a hardcoded list, many of which correspond to antivirus products, security tools, analysis tools, and system utilities.
Exe to terminate AV processes and then launches the main ransomware binary.
The ransomware utilizes the ChaCha20 and RSA encryption algorithms to encrypt target files, appending a pseudo-random string to the filenames, similar to BlackMatter.
Kasseika drops a ransom note in every directory that it has encrypted and also changes the computer's wallpaper to display a note about the attack.
Finally, Kasseika clears system event logs post-encryption, using commands like 'wevutil.
In the attacks seen by Trend Micro, victims were given 72 hours to deposit 50 Bitcoins, with another $500,000 added every 24 hours of delay in resolution.
Trend Micro has published indicators of compromise related to the Kasseika threat separately in this text file.
Majorca city Calvià extorted for $11M in ransomware attack.
New Black Basta decryptor exploits ransomware flaw to recover files.
Vans and North Face owner VF Corp hit by ransomware attack.
Ransomware attack on indie game maker wiped all player accounts.
Tietoevry ransomware attack causes outages for Swedish firms, cities.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 23 Jan 2024 20:00:52 +0000