Kasseika Ransomware Uses Advanced Infiltration Method

The ransomware group named Kasseika has recently adopted the Bring Your Own Vulnerable Driver (BYOVD) attack technique to disable security-related processes on compromised Windows hosts. This aligns it with other groups such as Akira, AvosLocker, BlackByte, and RobbinHood.

This approach enables threat actors to terminate antivirus processes and services, facilitating the deployment of ransomware, according to an analysis by Trend Micro on Tuesday. Discovered by the cybersecurity firm in mid-December 2023, Kasseika shares similarities with the now-defunct BlackMatter, which emerged after the shutdown of DarkSide.

Kasseika Believed to Have Links to BlackMatter

There are indications that Kasseika may be the work of an experienced threat actor who gained access to BlackMatter, as the latter's source code has not been publicly leaked since its demise in November 2021.

The attack process initiated by Kasseika typically begins with a phishing email for initial access. Subsequently, remote administration tools (RATs) are deployed to gain privileged access and move laterally within the target network.

The threat actors use Microsoft's Sysinternals PsExec command-line utility to execute a malicious batch script. This script checks for the existence of a process named "Martini.exe" and terminates it if found, ensuring only one instance of the process runs on the machine.

Mode of Infection of Kasseika

The "Martini.exe" executable downloads and runs the "Martini.sys" driver from a remote server to disable 991 security tools. It's noteworthy that "Martini.sys" is a legitimate signed driver named "viragt64.sys" that Microsoft has added to its vulnerable driver blocklist.

In case "Martini.sys" is not present, the malware terminates itself, underscoring the driver's crucial role in defense evasion. Following this step, "Martini.exe" initiates the ransomware payload ("smartscreen_protected.exe"), which uses ChaCha20 and RSA algorithms for encryption. This occurs after terminating all processes and services accessing Windows Restart Manager.

The ransomware leaves a note in every encrypted directory and alters the computer's wallpaper with a demand for a 50-bitcoin payment within 72 hours. Failure to comply risks an additional $500,000 every 24 hours after the deadline. Victims are required to post a payment screenshot to an actor-controlled Telegram group to receive a decryptor.

Kasseika ransomware employs additional measures, such as clearing the system's event logs using the wevtutil.exe binary, to erase traces of its activity.