Kasseika Ransomware
The cybersecurity world is facing a new formidable challenge with the advent of Kasseika ransomware. This malicious entity stands out for its innovative approach in circumventing traditional antivirus measures, marking a concerning evolution in cyber threats.
Kasseika’s Unique Offensive Strategy
What sets Kasseika apart is its employment of the Bring Your Own Vulnerable Driver (BYOVD) tactic. This method leverages the exploitation of vulnerable system drivers, specifically targeting the Martini driver from TG Soft’s VirtIT Agent System. By disabling key antivirus products, Kasseika gains an unobstructed path to encrypt files on the targeted system.
The BlackMatter Connection
In-depth analysis by Trend Micro reveals striking similarities between Kasseika and the infamous BlackMatter ransomware. The parallels in their operational tactics and source code hint at Kasseika’s possible origins: it might be the brainchild of ex-BlackMatter members or developed by seasoned ransomware creators who procured BlackMatter’s code. This connection raises alarms due to BlackMatter’s history of destructive cyber campaigns.
The Modus Operandi of Kasseika
Kasseika initiates its attack chain with carefully crafted phishing emails aimed at employees. These emails are designed to pilfer login credentials, granting the attackers initial access to the victim’s corporate network. Subsequently, the ransomware exploits the Windows PsExec tool to deploy malicious .bat files across the network, enabling it to spread laterally.
A key step in the attack involves shutting down the ‘Martini.exe’ process and introducing the compromised ‘Martini.sys’ driver. This driver plays a pivotal role, empowering Kasseika to terminate a list of predefined processes, primarily targeting security and antivirus programs.
How Kasseika Executes Its Plan
Post-preparation, Kasseika proceeds to run its main ransomware executable, named smartscreen_protected.exe, effectively sidelining antivirus processes. The ransomware uses a combination of ChaCha20 and RSA encryption algorithms to lock down files, mirroring tactics used by BlackMatter. Each file is tagged with a unique pseudo-random string, and the victims’ desktops are altered with ransom notes.
The Ransom Demand and Cleanup
The demands made by Kasseika are steep: victims are given a 72-hour window to transfer 50 Bitcoins (valued at about $2,000,000). The ransom increases for every 24-hour delay in payment. Furthermore, victims are instructed to post their payment proofs in a designated Telegram group to obtain the decryption key. In a final act to cover its tracks, Kasseika wipes the system event logs, erasing evidence of its presence and activities.
Proactive Measures and Trend Micro’s Contribution
In response to this escalating threat, Trend Micro has compiled and released a set of indicators of compromise (IoCs) associated with Kasseika. These IoCs are critical for organizations globally to identify and defend against this sophisticated ransomware.
Kasseika ransomware emerges as a daunting new player in the cybercrime arena. Its advanced tactics and connection to BlackMatter underscore the need for enhanced vigilance and adaptive security strategies. The release of IoCs by Trend Micro serves as an essential tool for organizations to shield themselves against this and similar cybersecurity threats. more details on: https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html
