The ransomware group generally known as Kasseika has develop into the newest to leverage the Carry Your Personal Susceptible Driver (BYOVD) assault to disarm security-related processes on compromised Home windows hosts, becoming a member of the likes of different teams like Akira, AvosLocker, BlackByte, and RobbinHood.
The tactic permits “menace actors to terminate antivirus processes and companies for the deployment of ransomware,” Development Micro stated in a Tuesday evaluation.
Kasseika, first found by the cybersecurity agency in mid-December 2023, reveals overlaps with the now-defunct BlackMatter, which emerged within the aftermath of DarkSide’s shutdown.
There may be proof to counsel that the ransomware pressure might be the handiwork of an skilled menace actor that acquired or bought entry to BlackMatter, on condition that the latter’s supply code has by no means publicly leaked publish its demise in November 2021.
Assault chains involving Kasseika start with a phishing electronic mail for preliminary entry, subsequently dropping distant administration instruments (RATs) to achieve privileged entry and transfer laterally throughout the goal community.
The menace actors have been noticed using Microsoft’s Sysinternals PsExec command-line utility to execute a malicious batch script, which checks for the existence of a course of named “Martini.exe,” and if discovered, terminates it guarantee there is just one occasion of the method operating the machine.
The executable’s major accountability is to obtain and run the “Martini.sys” driver from a distant server in an effort to disable 991 safety instruments. It is value noting that “Martini.sys” is a respectable signed driver named “viragt64.sys” that has been added to Microsoft’s susceptible driver blocklist.
“If Martini.sys doesn’t exist, the malware will terminate itself and never proceed with its supposed routine,” the researchers stated, indicating the essential position performed by the motive force in protection evasion.
Following this step, “Martini.exe” launches the ransomware payload (“smartscreen_protected.exe”), which takes care of the encryption course of utilizing ChaCha20 and RSA algorithms, however not earlier than killing all processes and companies which are accessing Home windows Restart Supervisor.
A ransom observe is then dropped in each listing that it has encrypted and the pc’s wallpaper is modified to show a observe demanding a 50 bitcoin fee to a pockets deal with inside 72 hours, or danger paying an additional $500,000 each 24 hours as soon as the deadline elapses.
On high of that, the victims are anticipated to publish a screenshot of the profitable fee to an actor-controlled Telegram group to obtain a decryptor.
The Kasseika ransomware additionally has different methods up its sleeves, which incorporates wiping traces of the exercise by clearing the system’s occasion logs utilizing the wevtutil.exe binary.
“The command wevutil.exe effectively clears the Software, Safety, and System occasion logs on the Home windows system,” the researchers stated. “This method is used to function discreetly, making it more difficult for safety instruments to establish and reply to malicious actions.”
The event comes as Palo Alto Networks Unit 42 detailed BianLian ransomware group’s shift from double extortion scheme to encryptionless extortion assaults following the launch of a free decryptor in early 2023.
BianLian has been an lively and prevalent menace group since September 2022, predominantly singling out healthcare, manufacturing, skilled, and authorized companies sectors within the U.S., the U.Ok., Canada, India, Australia, Brazil, Egypt, France, Germany, and Spain.
Stolen Distant Desktop Protocol (RDP) credentials, identified safety flaws (e.g., ProxyShell), and net shells act as the most typical assault routes adopted by BianLian operators to infiltrate company networks.
What’s extra, the cybercrime crew shares a customized .NET-based device with one other ransomware group tracked as Makop, suggesting potential connections between the 2.
“This .NET device is answerable for retrieving file enumeration, registry, and clipboard knowledge,” safety researcher Daniel Frank stated in a brand new overview of BianLian.
“This device incorporates some phrases within the Russian language, such because the numbers one to 4. Using such a device signifies that the 2 teams may need shared a device set or used the companies of the identical builders prior to now.”