The ransomware group often known as Kasseika has develop into the newest to leverage the Deliver Your Personal Susceptible Driver (BYOVD) assault to disarm security-related processes on compromised Home windows hosts, becoming a member of the likes of different teams like Akira, AvosLocker, BlackByte, and RobbinHood.
The tactic permits “menace actors to terminate antivirus processes and companies for the deployment of ransomware,” Development Micro stated in a Tuesday evaluation.
Kasseika, first found by the cybersecurity agency in mid-December 2023, reveals overlaps with the now-defunct BlackMatter, which emerged within the aftermath of DarkSide’s shutdown.
There may be proof to counsel that the ransomware pressure could possibly be the handiwork of an skilled menace actor that acquired or bought entry to BlackMatter, provided that the latter’s supply code has by no means publicly leaked put up its demise in November 2021.
Assault chains involving Kasseika start with a phishing electronic mail for preliminary entry, subsequently dropping distant administration instruments (RATs) to achieve privileged entry and transfer laterally inside the goal community.
The menace actors have been noticed using Microsoft’s Sysinternals PsExec command-line utility to execute a malicious batch script, which checks for the existence of a course of named “Martini.exe,” and if discovered, terminates it guarantee there is just one occasion of the method operating the machine.
The executable’s principal duty is to obtain and run the “Martini.sys” driver from a distant server as a way to disable 991 safety instruments. It is value noting that “Martini.sys” is a official signed driver named “viragt64.sys” that has been added to Microsoft’s susceptible driver blocklist.
“If Martini.sys doesn’t exist, the malware will terminate itself and never proceed with its meant routine,” the researchers stated, indicating the essential function performed by the driving force in protection evasion.
Following this step, “Martini.exe” launches the ransomware payload (“smartscreen_protected.exe”), which takes care of the encryption course of utilizing ChaCha20 and RSA algorithms, however not earlier than killing all processes and companies which can be accessing Home windows Restart Supervisor.
A ransom word is then dropped in each listing that it has encrypted and the pc’s wallpaper is modified to show a word demanding a 50 bitcoin cost to a pockets deal with inside 72 hours, or danger paying an additional $500,000 each 24 hours as soon as the deadline elapses.
On high of that, the victims are anticipated to put up a screenshot of the profitable cost to an actor-controlled Telegram group to obtain a decryptor.
The Kasseika ransomware additionally has different tips up its sleeves, which incorporates wiping traces of the exercise by clearing the system’s occasion logs utilizing the wevtutil.exe binary.
“The command wevutil.exe effectively clears the Software, Safety, and System occasion logs on the Home windows system,” the researchers stated. “This method is used to function discreetly, making it tougher for safety instruments to establish and reply to malicious actions.”
The event comes as Palo Alto Networks Unit 42 detailed BianLian ransomware group’s shift from double extortion scheme to encryptionless extortion assaults following the launch of a free decryptor in early 2023.
BianLian has been an energetic and prevalent menace group since September 2022, predominantly singling out healthcare, manufacturing, skilled, and authorized companies sectors within the U.S., the U.Okay., Canada, India, Australia, Brazil, Egypt, France, Germany, and Spain.
Stolen Distant Desktop Protocol (RDP) credentials, recognized safety flaws (e.g., ProxyShell), and net shells act as the commonest assault routes adopted by BianLian operators to infiltrate company networks.
What’s extra, the cybercrime crew shares a customized .NET-based software with one other ransomware group tracked as Makop, suggesting potential connections between the 2.
“This .NET software is chargeable for retrieving file enumeration, registry, and clipboard knowledge,” safety researcher Daniel Frank stated in a brand new overview of BianLian.
“This software comprises some phrases within the Russian language, such because the numbers one to 4. The usage of such a software signifies that the 2 teams may need shared a software set or used the companies of the identical builders up to now.”