A recently discovered ransomware, named “Kasseika,” employs Bring Your Own Vulnerable Driver tactics to incapacitate antivirus software prior to encrypting files. It is suspected that Kasseika may have been developed by former members of the BlackMatter group or experienced ransomware actors who acquired its code.
KASSEIKA RANSOMWARE DEPLOYS BYOVD ATTACKS
A recently identified ransomware operation, dubbed “Kasseika,” employs Bring Your Own Vulnerable Driver tactics to incapacitate antivirus software before encrypting files. Kasseika utilizes the Martini driver (Martini.sys/viragt64.sys), a component of TG Soft’s VirtIT Agent System, to disable antivirus products safeguarding the targeted system.
As per analysts who initially detected and examined Kasseika in December 2023, the ransomware exhibits numerous attack chains and source code similarities with BlackMatter. Despite BlackMatter’s source code never being publicly leaked since its closure in late 2021, investigators speculate that Kasseika was probably developed by former members of the group or seasoned ransomware actors who acquired its code.
What is BYOVD Attacks?
BYOVD stands for “Bring Your Own Vulnerable Driver.” It refers to a tactic employed by certain malware or ransomware, where the malicious actors use vulnerable or compromised device drivers to disable security measures, such as antivirus software, on a targeted system. In the context of cybersecurity threats, BYOVD tactics exploit weaknesses in drivers, often leveraging them to circumvent security controls before executing malicious actions, such as encrypting files or carrying out further attacks.
Cyber attackers frequently employ a phishing email as the initial entry point to a network. Subsequently, they utilize remote administration tools (RATs) to navigate the network and obtain privileged access. In these attacks, Microsoft’s Sysinternals PsExec command-line utility is commonly utilized. To identify and halt a process named “Martini.exe,” adversaries execute a malicious batch script. This ensures that only one instance of the process is running on the targeted machine.
Following the initial preparations, the attackers retrieve and execute a driver named “Martini.sys” from a remote server. This driver has the capability to disable up to 991 security-related elements. Notably, “Martini.sys” is a legitimate, signed driver named “viragt64.sys,” which has since been added to Microsoft’s vulnerable driver blocklist. If the malware fails to locate “Martini.sys,” it will terminate itself and abstain from progressing with the attack. Therefore, the success of the entire attack hinges on the presence of this specific driver—a relatively conspicuous approach, in my opinion.
Upon execution of “Martini.exe,” the ransomware payload, named “smartscreen_protected.exe,” encrypts all files using ChaCha20 and RSA algorithms. It terminates processes and services accessing Windows Restart Manager. After completing the encryption process, a ransom note is deposited in each encrypted directory. Additionally, the system’s wallpaper is altered to showcase a note demanding payment of 50 bitcoins to a specified wallet address within 72 hours. Failure to comply with this demand will incur an additional fee of $500,000 every 24 hours after the deadline has elapsed.
To obtain a decryptor, victims are required to share a screenshot of the successful payment in a Telegram group controlled by the attacker. Additionally, the Kasseika ransomware employs the wevtutil.exe binary to clear the system’s event logs, effectively erasing any traces of its activity. This discreet technique poses a greater challenge for security tools in detecting and responding to malicious activities.
Organizations should adopt a multi-layered approach to safeguard against Kasseika and other malware. Here are essential recommendations:
- Enhance Email Security:
- Implement robust email filters to detect and block phishing attempts.
- Conduct regular employee training on identifying phishing emails and cyber threats.
- Increase awareness through ongoing education to reduce the risk of infection.
- Implement EDR Zero-Trust:
- Deploy Endpoint Detection and Response (EDR) within a zero-trust security framework.
- Continuously monitor and verify endpoints for suspicious activity.
- Enforce strict access controls to minimize the risk of lateral movement within the network.
- Integrate EDR to enhance overall security posture and protect against cyber threats, including ransomware.
- Update and Patch Regularly:
- Prioritize regular software updates and patch installations to address vulnerabilities.
- Stay informed about the latest news and patches released by software vendors.
- Proactively address software vulnerabilities to mitigate the risk of cyber threats and potential ransomware attacks.