The Kasseika ransomware group has emerged as the latest threat actor exploiting the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security processes on compromised Windows systems. This method allows cybercriminals to terminate antivirus software, facilitating the deployment of ransomware. Kasseika joins other prominent groups, including Akira, AvosLocker, BlackByte, and RobbinHood, in employing this tactic, according to Trend Micro’s recent analysis.
First identified by cybersecurity experts in mid-December 2023, Kasseika displays characteristics reminiscent of the defunct BlackMatter group, which was operational following the shutdown of DarkSide. Evidence suggests that Kasseika may be operated by a seasoned threat actor with prior access to BlackMatter’s resources, as its source code has not been publicly released since its demise in November 2021.
Kasseika’s attacks typically initiate with phishing emails designed for initial access. The group drops Remote Administration Tools (RATs) to establish privileged access, allowing lateral movement within the targeted networks. Using Microsoft’s Sysinternals PsExec command-line utility, they execute a malicious script that seeks and terminates a process named “Martini.exe,” ensuring only one instance runs on the infected machine.
Key functionalities of the exploited executable include downloading and executing the “Martini.sys” driver from a remote location, a step critical for disabling numerous security tools across the system. Notably, “Martini.sys” is actually a legitimate signed driver recognized as “viragt64.sys,” which has been classified under Microsoft’s vulnerable driver blocklist. If the required driver is absent, the malware self-terminates, highlighting the critical nature of this component in the threat actor’s operational strategy.
Once entrenched, Kasseika’s payload (“smartscreen_protected.exe”) manages the encryption process, utilizing ChaCha20 and RSA algorithms. Prior to this, it systematically terminates all processes interacting with the Windows Restart Manager. Victims find a ransom note in every encrypted directory, and their desktop wallpaper demands a payment of 50 bitcoins within 72 hours, threatening an additional fee of $500,000 for every 24-hour delay beyond the deadline. Additionally, victims are instructed to provide evidence of payment in a Telegram group controlled by the attackers to obtain a decryptor.
Lurking beneath these actions, Kasseika also implements strategies to obfuscate its activities, including the erasure of event logs through the use of the wevtutil.exe binary. Such tactics complicate the identification and response processes for security tools, allowing the ransomware to operate more discreetly and retain persistence within the victim’s environment.
This new wave of Kasseika’s activity underscores ongoing concerns in the cybersecurity landscape, as highlighted by Palo Alto Networks’ Unit 42, which noted the BianLian ransomware group’s shift to encryptionless extortion methods in response to the release of a free decryptor earlier this year. BianLian has been active since September 2022, primarily targeting sectors such as healthcare and manufacturing across multiple countries including the U.S., U.K., and Australia, among others.
In sum, the Kasseika ransomware exemplifies the evolving nature of cyber threats, employing sophisticated techniques to infiltrate corporate networks and extort significant sums from victims. As such, adherence to the MITRE ATT&CK framework is essential, with tactics such as initial access through phishing, persistence via executing unattended scripts, and privilege escalation by exploiting vulnerable drivers being pivotal to understanding and mitigating these threats. An acute awareness of such vulnerabilities is vital for business owners looking to reinforce their cybersecurity posture against an increasingly hostile digital landscape.
