The ransomware group known as Kasseika has become the latest to leverage the Bring Your Own Vulnerable Driver (BYOVD) attack to disarm security-related processes on compromised Windows hosts, joining the likes of other groups like Akira, AvosLocker, BlackByte, and RobbinHood.
The tactic allows “threat actors to terminate antivirus processes and services for the deployment of ransomware,” Trend Micro said in a Tuesday analysis.
Kasseika, first discovered by the cybersecurity firm in mid-December 2023, exhibits overlaps with the now-defunct BlackMatter, which emerged in the aftermath of DarkSide’s shutdown.
There is evidence to suggest that the ransomware strain could be the handiwork of an experienced threat actor that acquired or purchased access to BlackMatter, given that the latter’s source code has never publicly leaked post its demise in November 2021.
Attack chains involving Kasseika commence with a phishing email for initial access, subsequently dropping remote administration tools (RATs) to gain privileged access and move laterally within the target network.
The threat actors have been observed utilizing Microsoft’s Sysinternals PsExec command-line utility to execute a malicious batch script, which checks for the existence of a process named “Martini.exe,” and if found, terminates it ensure there is only one instance of the process running the machine.
The executable’s main responsibility is to download and run the “Martini.sys” driver from a remote server in order to disable 991 security tools. It’s worth noting that “Martini.sys” is a legitimate signed driver named “viragt64.sys” that has been added to Microsoft’s vulnerable driver blocklist.
“If Martini.sys does not exist, the malware will terminate itself and not proceed with its intended routine,” the researchers said, indicating the crucial role played by the driver in defense evasion.
Following this step, “Martini.exe” launches the ransomware payload (“smartscreen_protected.exe”), which takes care of the encryption process using ChaCha20 and RSA algorithms, but not before killing all processes and services that are accessing Windows Restart Manager.
A ransom note is then dropped in every directory that it has encrypted and the computer’s wallpaper is modified to display a note demanding a 50 bitcoin payment to a wallet address within 72 hours, or risk paying an extra $500,000 every 24 hours once the deadline elapses.
On top of that, the victims are expected to post a screenshot of the successful payment to an actor-controlled Telegram group to receive a decryptor.
The Kasseika ransomware also has other tricks up its sleeves, which includes wiping traces of the activity by clearing the system’s event logs using the wevtutil.exe binary.
“The command wevutil.exe efficiently clears the Application, Security, and System event logs on the Windows system,” the researchers said. “This technique is used to operate discreetly, making it more challenging for security tools to identify and respond to malicious activities.”
The development comes as Palo Alto Networks Unit 42 detailed BianLian ransomware group’s shift from double extortion scheme to encryptionless extortion attacks following the release of a free decryptor in early 2023.
BianLian has been an active and prevalent threat group since September 2022, predominantly singling out healthcare, manufacturing, professional, and legal services sectors in the U.S., the U.K., Canada, India, Australia, Brazil, Egypt, France, Germany, and Spain.
Stolen Remote Desktop Protocol (RDP) credentials, known security flaws (e.g., ProxyShell), and web shells act as the most common attack routes adopted by BianLian operators to infiltrate corporate networks.
What’s more, the cybercrime crew shares a custom .NET-based tool with another ransomware group tracked as Makop, suggesting potential connections between the two.
“This .NET tool is responsible for retrieving file enumeration, registry, and clipboard data,” security researcher Daniel Frank said in a new overview of BianLian.
“This tool contains some words in the Russian language, such as the numbers one to four. The use of such a tool indicates that the two groups might have shared a tool set or used the services of the same developers in the past.”