Kasseika ransomware [1] [2] [3] [4] [5] [6], a recently emerged threat [3], has adopted the trend of bring-your-own-vulnerable-driver (BYOVD) attacks [1] [2] [5] [6]. This group utilizes the Martini driver to disable antivirus software and encrypt files. There are potential connections between Kasseika and the now-defunct BlackMatter ransomware group.
Description
Kasseika’s attack chain begins with targeted phishing techniques to steal credentials. They then employ the Windows PsExec tool to execute malicious files [3]. The malware downloads the vulnerable Martini.sys driver [3], gaining privileges to terminate antivirus processes [3] [5] [6]. Finally, the ransomware binary is executed, encrypting target files using the ChaCha20 and RSA encryption algorithms. Kasseika demands a ransom in Bitcoin and provides a decrypter upon payment [3]. To avoid detection, Kasseika changes the affected system’s wallpaper and clears event logs [6].
In a separate development [4], the BianLian ransomware group has shifted their tactics from double extortion to encryptionless extortion attacks [4]. BianLian primarily targets various sectors in multiple countries [4], infiltrating corporate networks through stolen Remote Desktop Protocol (RDP) credentials and known security flaws. There are potential connections between BianLian and another ransomware group called Makop [4], as they both utilize a custom NET-based tool.
Conclusion
These developments highlight the evolving tactics of ransomware groups and the need for robust cybersecurity measures. Organizations should be vigilant against targeted phishing attempts and ensure the security of their remote desktop protocols. The potential connections between these ransomware groups suggest the existence of a larger network or collaboration among threat actors. It is crucial for security professionals to stay updated on emerging threats and implement effective mitigation strategies to protect against ransomware attacks in the future.
References
[1] https://www.trendmicro.com/plpl/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html
[2] https://securityonline.info/unpacking-kasseika-the-latest-ransomware-to-exploit-byovd-tactics/
[3] https://blog.cyberconvoy.com/kasseika-ransomware-uses-antivirus-driver-to-kill-other-antiviruses/
[4] https://thehackernews.com/2024/01/kasseika-ransomware-using-byovd-trick.html
[5] https://www.trendmicro.com/enus/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html
[6] https://www.darkreading.com/endpoint-security/kasseika-ransomware-linked-blackmatter-byovd-attack
