The ransomware group generally known as Kasseika has develop into the most recent to leverage the Deliver Your Personal Weak Driver (BYOVD) assault to disarm security-related processes on compromised Home windows hosts, becoming a member of the likes of different teams like Akira, AvosLocker, BlackByte, and RobbinHood.
The tactic permits “menace actors to terminate antivirus processes and companies for the deployment of ransomware,” Development Micro mentioned in a Tuesday evaluation.
Kasseika, first found by the cybersecurity agency in mid-December 2023, displays overlaps with the now-defunct BlackMatter, which emerged within the aftermath of DarkSide’s shutdown.
There may be proof to recommend that the ransomware pressure might be the handiwork of an skilled menace actor that acquired or bought entry to BlackMatter, provided that the latter’s supply code has by no means publicly leaked submit its demise in November 2021.
Attack chains involving Kasseika start with a phishing e-mail for preliminary entry, subsequently dropping distant administration instruments (RATs) to realize privileged entry and transfer laterally throughout the goal community.
The menace actors have been noticed using Microsoft’s Sysinternals PsExec command-line utility to execute a malicious batch script, which checks for the existence of a course of named “Martini.exe,” and if discovered, terminates it guarantee there is just one occasion of the method working the machine.
The executable’s essential duty is to obtain and run the “Martini.sys” driver from a distant server to be able to disable 991 security instruments. It is value noting that “Martini.sys” is a respectable signed driver named “viragt64.sys” that has been added to Microsoft’s weak driver blocklist.
“If Martini.sys doesn’t exist, the malware will terminate itself and never proceed with its meant routine,” the researchers mentioned, indicating the essential position performed by the motive force in protection evasion.
Following this step, “Martini.exe” launches the ransomware payload (“smartscreen_protected.exe”), which takes care of the encryption course of utilizing ChaCha20 and RSA algorithms, however not earlier than killing all processes and companies which can be accessing Home windows Restart Supervisor.
A ransom be aware is then dropped in each listing that it has encrypted and the pc’s wallpaper is modified to show a be aware demanding a 50 bitcoin fee to a pockets tackle inside 72 hours, or danger paying an additional $500,000 each 24 hours as soon as the deadline elapses.
On prime of that, the victims are anticipated to submit a screenshot of the profitable fee to an actor-controlled Telegram group to obtain a decryptor.
The Kasseika ransomware additionally has different tips up its sleeves, which incorporates wiping traces of the exercise by clearing the system’s occasion logs utilizing the wevtutil.exe binary.
“The command wevutil.exe effectively clears the Software, Safety, and System occasion logs on the Home windows system,” the researchers mentioned. “This method is used to function discreetly, making it more difficult for security instruments to determine and reply to malicious actions.”
The event comes as Palo Alto Networks Unit 42 detailed BianLian ransomware group’s shift from double extortion scheme to encryptionless extortion assaults following the discharge of a free decryptor in early 2023.
BianLian has been an energetic and prevalent menace group since September 2022, predominantly singling out healthcare, manufacturing, skilled, and authorized companies sectors within the U.S., the U.Ok., Canada, India, Australia, Brazil, Egypt, France, Germany, and Spain.
Stolen Distant Desktop Protocol (RDP) credentials, recognized security flaws (e.g., ProxyShell), and internet shells act as the commonest assault routes adopted by BianLian operators to infiltrate company networks.
What’s extra, the cybercrime crew shares a customized .NET-based software with one other ransomware group tracked as Makop, suggesting potential connections between the 2.
“This .NET software is accountable for retrieving file enumeration, registry, and clipboard knowledge,” security researcher Daniel Frank mentioned in a brand new overview of BianLian.
“This software comprises some phrases within the Russian language, such because the numbers one to 4. The usage of such a software signifies that the 2 teams may need shared a software set or used the companies of the identical builders up to now.”