Kasseika Ransomware
The ransomware group named Kasseika has recently adopted the Bring Your Own Vulnerable Driver (BYOVD) attack method to neutralize security processes on compromised Windows systems. This approach aligns Kasseika with other groups such as Akira, AvosLocker, BlackByte, and RobbinHood, who also employ the BYOVD technique to turn off anti-malware processes and services, facilitating the deployment of ransomware.
Initially identified by cybersecurity experts in mid-December 2023, Kasseika shares similarities with the now-disbanded BlackMatter group, which emerged following the shutdown of DarkSide. There are indications suggesting that the ransomware variant associated with Kasseika may be the result of an experienced threat actor obtaining access to or purchasing assets from BlackMatter. This speculation arises from the fact that BlackMatter's source code has not been publicly disclosed since its demise in November 2021.
Table of Contents
Attack Vectors Utilized to Infect Devices with the Kasseika Ransomware
Kasseika's attack sequences initiate with a phishing email designed for initial access, followed by the deployment of Remote Access Tools (RATs) to acquire privileged entry and navigate laterally within the targeted network. Notably, threat actors within this campaign have been observed employing Microsoft's Sysinternals PsExec command-line utility to executen unsafe batch script. This script checks for the presence of a process called 'Martini.exe' and, if detected, terminates it to ensure only a single instance of the process runs on the machine.
The primary role of the 'Martini.exe' executable is to download and execute the 'Martini.sys' driver from a remote server. This driver is responsible for disabling 991 security tools. It is pertinent to mention that 'Martini.sys' is a legitimately signed driver with the name 'viragt64.sys,' yet it has been included in Microsoft's vulnerable driver blocklist. If 'Martini.sys' is not found, the malware terminates itself, avoiding further execution.
Following this phase, 'Martini.exe' initiates the execution of the ransomware payload, 'smartscreen_protected.exe,' responsible for the encryption process using ChaCha20 and RSA algorithms. However, before commencing encryption, it terminates all processes and services associated with the Windows Restart Manager.
The Kasseika Ransomware Demands Exorbitant Ransom Payments from Victims
Following encryption, a ransom note is deposited in each directory affected, accompanied by a modification of the computer's wallpaper displaying a demand for a 50-bitcoin payment to a specified wallet address. The stipulation is to make the payment within 72 hours; otherwise, there is a threat of incurring an additional $500,000 charge every 24 hours once the deadline expires.
Furthermore, victims are required to share a screenshot confirming the successful payment in an actor-controlled Telegram group to receive the decryption tool.
The Kasseika Ransomware is Equipped with Extensive Threatening Capabilities
In addition to its primary functions, the Kasseika Ransomware employs additional tactics to cover its tracks. One such technique involves erasing traces of its activities by utilizing the wevtutil.exe binary to clear the system's event logs. This command efficiently wipes the Application, Security, and System event logs on the Windows system. By employing this method, the ransomware operates discreetly, heightening the difficulty for security tools to detect and respond to malicious activities.
The ransom demand presented by the Kasseika Ransomware to victims reads:
'Your data are stolen and encrypted!
Deposit 50 Bitcoins into our wallet within 72 hours. After the time is exceeded, it will increase by $500,000 every 24 hours.
After the payment is successful, provide a screenshot to our Telegram group link, and we will provide you with a decryption program.
We will log off the Telegram account after 120 hours, after which you will never be able to decrypt your data and sell this data to the public.Bitcoin wallet address: bc1q3h8ggrd7dc35q4f7jsjp92hnfsc2jgqt9643sr
Telegram group link: hxxps://t.me/+Reeq_NTdXDpkYzE1'
