Excerpt from Bleeping computer Article, Published on Jan 23, 2024
In a recent cybersecurity revelation, a new ransomware variant named ‘Kasseika’ has surfaced, employing sophisticated tactics to disable antivirus defenses before encrypting files. Kasseika, discovered by Trend Micro analysts in December 2023, uses the Martini driver (Martini.sys/viragt64.sys) from TG Soft’s VirtIT Agent System to disable antivirus programs protecting the targeted system.
Believed to share code similarities with the notorious BlackMatter ransomware, Kasseika is thought to have been developed by former members of the BlackMatter group or experienced ransomware actors who acquired its code. Notably, BlackMatter’s source code has remained private since its shutdown in late 2021.
Kasseika initiates its attacks with phishing emails directed at employees of the target organization, aiming to pilfer their account credentials for initial access to the corporate network. Subsequently, the ransomware operators exploit the Windows PsExec tool to execute malicious.bat files on the infected system and others accessed through lateral movement.
The malicious batch file identifies and terminates the ‘Martini.exe’ process, ensuring smooth progression. It then downloads the vulnerable ‘Martini.sys’ driver onto the compromised machine. This driver is pivotal in the attack chain, and Kasseika halts its progress if the ‘Martini’ service creation fails or if ‘Martini.sys’ is not found on the system.
Using Bring Your Own Vulnerable Driver (BYOVD) attacks, the malware gains privileges to terminate 991 processes, including various antivirus products, security tools, analysis tools, and system utilities. Following this, Kasseika executes Martini.exe to disable antivirus processes and launches its main ransomware binary, ‘smartscreen_protected.exe.’ A ‘clear.bat’ script is then executed to erase traces of the attack.
Kasseika utilizes the ChaCha20 and RSA encryption algorithms to encrypt target files, appending a pseudo-random string to filenames, mirroring BlackMatter’s tactics. The ransomware leaves a decryption demand in every encrypted directory and alters the computer’s wallpaper to convey a note about the attack. Victims are given a 72-hour window to deposit 50 bitcoins ($2,000,000), with an additional $500,000 added for each subsequent 24-hour delay in resolution. To further thwart security analysis, Kasseika systematically clears system event logs post-encryption using commands like ‘wevutil.exe.’
To delve deeper into this topic, please read the full article on Bleeping computer