Kasseika ransomware uses antivirus driver to kill other antiviruses

A recently uncovered ransomware operation named 'Kasseika' has joined the club of threat actors that employs Bring Your Own Vulnerable Driver tactics to disable antivirus software before encrypting files.
Kasseika abuses the Martini driver, part of TG Soft's VirtIT Agent System, to disable antivirus products protecting the targeted system.
According to Trend Micro, whose analysts first discovered and examined Kasseika in December 2023, the new ransomware strain features many attack chains and source code similarities with BlackMatter.
As BlackMatter's source code has never been leaked publicly since its shutdown in late 2021, Kasseika was likely built by former members of the threat group or experienced ransomware actors who purchased its code.
Kasseika attacks start with a phishing email sent to employees of the targeted organization, attempting to steal their account credentials, which will then be used for initial access to the corporate network.
Next, Kasseika operators abuse the Windows PsExec tool to execute malicious.
Bat files on the infected system and others they have accessed through lateral movement.
The presence of that driver is crucial in the attack chain, as Kasseika will not proceed further if the 'Martini' service creation fails or if 'Martini.
By using BYOVD attacks, aka exploiting flaws in the loaded driver, the malware gains the privileges to terminate 991 processes from a hardcoded list, many of which correspond to antivirus products, security tools, analysis tools, and system utilities.
Exe to terminate AV processes and then launches the main ransomware binary.
The ransomware utilizes the ChaCha20 and RSA encryption algorithms to encrypt target files, appending a pseudo-random string to the filenames, similar to BlackMatter.
Kasseika drops a ransom note in every directory that it has encrypted and also changes the computer's wallpaper to display a note about the attack.
Finally, Kasseika clears system event logs post-encryption, using commands like 'wevutil.
In the attacks seen by Trend Micro, victims were given 72 hours to deposit 50 Bitcoins, with another $500,000 added every 24 hours of delay in resolution.
Trend Micro has published indicators of compromise related to the Kasseika threat separately in this text file.
Majorca city Calvià extorted for $11M in ransomware attack.
New Black Basta decryptor exploits ransomware flaw to recover files.
Vans and North Face owner VF Corp hit by ransomware attack.
Ransomware attack on indie game maker wiped all player accounts.
Tietoevry ransomware attack causes outages for Swedish firms, cities.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 23 Jan 2024 20:00:52 +0000


Cyber News related to Kasseika ransomware uses antivirus driver to kill other antiviruses

Kasseika ransomware uses antivirus driver to kill other antiviruses - A recently uncovered ransomware operation named 'Kasseika' has joined the club of threat actors that employs Bring Your Own Vulnerable Driver tactics to disable antivirus software before encrypting files. Kasseika abuses the Martini driver, part of ...
10 months ago Bleepingcomputer.com
The Week in Ransomware - Governments struck back this week against members of ransomware operations, imposing sanctions on one threat actor and sentencing another to prison. On Tuesday, the Australian, US, and UK governments announced sanctions against Aleksandr Gennadievich ...
10 months ago Bleepingcomputer.com
Kasseika Ransomware Employs AntiVirus Driver to Disarm Other Antiviruses - Kasseika, a ransomware gang, has become the latest to leverage the Bring Your Own Vulnerable Driver assault to disable security-related processes on compromised Windows hosts, following groups such as Akira, AvosLocker, BlackByte, and RobbinHood. ...
10 months ago Cysecurity.news
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
1 year ago Heimdalsecurity.com
StopCrypt: Most widely distributed ransomware now evades detection - A new variant of StopCrypt ransomware was spotted in the wild, employing a multi-stage execution process that involves shellcodes to evade security tools. StopCrypt, also known as STOP Djvu, is the most widely distributed ransomware in existence that ...
9 months ago Bleepingcomputer.com
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
11 months ago Unit42.paloaltonetworks.com
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
11 months ago Feeds.fortinet.com
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
11 months ago Securityboulevard.com
Key Group uses leaked builders of ransomware and wipers | Securelist - The first discovered sample of Key Group, the Xorist ransomware, established persistence in the system by changing file extension associations. The .huis_bn extension added to encrypted files in the early versions of Key Group samples, Xorist and ...
2 months ago Securelist.com
CVE-2012-1443 - The RAR file parser in ClamAV 0.96.4, Rising Antivirus 22.83.00.03, Quick Heal (aka Cat QuickHeal) 11.00, G Data AntiVirus 21, AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11, Command Antivirus 5.2.11.5, Ikarus Virus Utilities T3 Command ...
12 years ago
CVE-2012-1459 - The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7, avast! Antivirus 4.8.1351.0 and 5.0.677.0, AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Quick Heal (aka Cat QuickHeal) 11.00, ...
6 years ago
Linux version of Qilin ransomware focuses on VMware ESXi - A sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date. Due to this adoption, almost all ransomware gangs have created dedicated VMware ESXi ...
1 year ago Bleepingcomputer.com
Ransomware trends and recovery strategies companies should know - Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. The methods used to deliver ransomware vary, including phishing emails, malicious websites, and exploiting vulnerabilities in ...
1 year ago Helpnetsecurity.com
Ransomware Roundup - On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the ...
9 months ago Feeds.fortinet.com
Ransomware in 2023 recap: 5 key takeaways - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. While some ransomware trends hardly changed over the last year, such as LockBit's continued dominance, ransomware criminals also challenged ...
10 months ago Malwarebytes.com
The Week in Ransomware - Earlier this month, the BlackCat/ALPHV ransomware operation suffered a five-day disruption to their Tor data leak and negotiation sites, rumored to be caused by a law enforcement action. The FBI revealed this week that they hacked the BlackCat/ALPHV ...
1 year ago Bleepingcomputer.com
Declining Ransomware Payments: Shift in Hacker Tactics? - Several cybersecurity advisories and agencies recommend not caving into ransomware gangs' demands and paying their ransoms. It seems the tide is turning, with a decline in ransomware payments; this article explores the trend and what it might mean ...
10 months ago Securityboulevard.com
Ransomware's Impact May Include Heart Attacks, Strokes & PTSD - First-order harms: Direct targets of ransomware attacks. The increasing convergence of IT and OT leave physical infrastructures more vulnerable to ransomware, even though most ransomware operators lack the capability to directly compromise OT or ...
10 months ago Techrepublic.com
The Week in Ransomware - An international law enforcement operation claims to have dismantled a ransomware affiliate operation in Ukraine, which was responsible for attacks on organizations in 71 countries. The threat actors are said to be affiliates of numerous ransomware ...
1 year ago Bleepingcomputer.com
Ransomware Roundup - On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the ...
10 months ago Feeds.fortinet.com
Waiting for the BlackCat rebrand - We saw another ransomware operation shut down this week after first getting breached by law enforcement and then targeting critical infrastructure, putting them further in the spotlight of the US government. While the Tor onion domain seizure was a ...
9 months ago Bleepingcomputer.com
The Week in Ransomware - This week was pretty quiet on the ransomware front, with most of the attention on the seizure of the BreachForums data theft forum. That does not mean there was nothing of interest released this week about ransomware. A report by CISA said that the ...
7 months ago Bleepingcomputer.com
VX-Underground malware collective framed by Phobos ransomware - A new Phobos ransomware variant frames the popular VX-Underground malware-sharing collective, indicating the group is behind attacks using the encryptor. Phobos launched in 2018 in what is believed to be a ransomware-as-a-service derived from the ...
1 year ago Bleepingcomputer.com
Top 10 Notorious Ransomware Gangs of 2023 - By employing a multitude of advanced techniques like double extortion along with other illicit tactics, ransomware groups are continually evolving at a rapid pace. Here below, we have mentioned all the types of ransomware used by the threat actors ...
11 months ago Cybersecuritynews.com
How ransomware gangs are engaging - As ransomware gangs continue to market themselves as legitimate businesses complete with customer service representatives, new research from Sophos showed that threat actors are expanding public relations efforts to further pressure victims into ...
1 year ago Techtarget.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)