The ransomware group often known as Kasseika has grow to be the most recent to leverage the Carry Your Personal Weak Driver (BYOVD) assault to disarm security-related processes on compromised Home windows hosts, becoming a member of the likes of different teams like Akira, AvosLocker, BlackByte, and RobbinHood.
The tactic permits “risk actors to terminate antivirus processes and companies for the deployment of ransomware,” Development Micro mentioned in a Tuesday evaluation.
Kasseika, first found by the cybersecurity agency in mid-December 2023, displays overlaps with the now-defunct BlackMatter, which emerged within the aftermath of DarkSide’s shutdown.
There may be proof to recommend that the ransomware pressure might be the handiwork of an skilled risk actor that acquired or bought entry to BlackMatter, on condition that the latter’s supply code has by no means publicly leaked submit its demise in November 2021.
Assault chains involving Kasseika start with a phishing electronic mail for preliminary entry, subsequently dropping distant administration instruments (RATs) to realize privileged entry and transfer laterally inside the goal community.
The risk actors have been noticed using Microsoft’s Sysinternals PsExec command-line utility to execute a malicious batch script, which checks for the existence of a course of named “Martini.exe,” and if discovered, terminates it guarantee there is just one occasion of the method working the machine.
The executable’s essential duty is to obtain and run the “Martini.sys” driver from a distant server as a way to disable 991 safety instruments. It is price noting that “Martini.sys” is a legit signed driver named “viragt64.sys” that has been added to Microsoft’s weak driver blocklist.
“If Martini.sys doesn’t exist, the malware will terminate itself and never proceed with its meant routine,” the researchers mentioned, indicating the essential function performed by the motive force in protection evasion.
Following this step, “Martini.exe” launches the ransomware payload (“smartscreen_protected.exe”), which takes care of the encryption course of utilizing ChaCha20 and RSA algorithms, however not earlier than killing all processes and companies which are accessing Home windows Restart Supervisor.
A ransom notice is then dropped in each listing that it has encrypted and the pc’s wallpaper is modified to show a notice demanding a 50 bitcoin fee to a pockets deal with inside 72 hours, or danger paying an additional $500,000 each 24 hours as soon as the deadline elapses.
On high of that, the victims are anticipated to submit a screenshot of the profitable fee to an actor-controlled Telegram group to obtain a decryptor.
The Kasseika ransomware additionally has different tips up its sleeves, which incorporates wiping traces of the exercise by clearing the system’s occasion logs utilizing the wevtutil.exe binary.
“The command wevutil.exe effectively clears the Utility, Safety, and System occasion logs on the Home windows system,” the researchers mentioned. “This system is used to function discreetly, making it more difficult for safety instruments to establish and reply to malicious actions.”
The event comes as Palo Alto Networks Unit 42 detailed BianLian ransomware group’s shift from double extortion scheme to encryptionless extortion assaults following the discharge of a free decryptor in early 2023.
BianLian has been an lively and prevalent risk group since September 2022, predominantly singling out healthcare, manufacturing, skilled, and authorized companies sectors within the U.S., the U.Okay., Canada, India, Australia, Brazil, Egypt, France, Germany, and Spain.
Stolen Distant Desktop Protocol (RDP) credentials, recognized safety flaws (e.g., ProxyShell), and net shells act as the most typical assault routes adopted by BianLian operators to infiltrate company networks.
What’s extra, the cybercrime crew shares a customized .NET-based device with one other ransomware group tracked as Makop, suggesting potential connections between the 2.
“This .NET device is liable for retrieving file enumeration, registry, and clipboard information,” safety researcher Daniel Frank mentioned in a brand new overview of BianLian.
“This device comprises some phrases within the Russian language, such because the numbers one to 4. Using such a device signifies that the 2 teams might need shared a device set or used the companies of the identical builders prior to now.”
