AI DevwWrld Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Middle East Low Code No Code Summit TimeAI Summit

New "Kasseika" ransomware tactic discovered

Advanced Kasseika ransomware attack methodology evades digital defenses

A ransomware variant called Kasseika uses a vulnerable driver to disable antivirus and encrypt data. It starts with an email scam and then spreads across the internet. Demands 50 Bitcoin ransom.

Contribute to spreading the culture of prevention!
Support our cause with a small donation by helping us raise awareness among users and companies about cyber threats and defense solutions.

This pill is also available in Italian language

Trend Micro experts recently identified an insidious ransomware variant dubbed "Kasseika". This malware uses a technique known as BYOVD (Bring Your Own Vulnerable Driver) to disable antivirus programs before encrypting data. The assault usually begins with a phishing email aimed at employees of the target organization, aiming to obtain credentials to infiltrate the company network.

Kasseika deployment and action phase

Following the initial breach, Kasseika used PsExec, a native Windows tool, to execute a malicious .bat file in order to extend its reach within the network. This script is dedicated to finding and closing a specific process, "Martini.exe", so as to prevent protective interventions. The crucial phase involves downloading and activating "Martini.sys", a vulnerable driver part of the VirtIT Agent System antivirus, without which the ransomware would not proceed.

Preparing for data encryption

The attack continues with the abuse of the vulnerable driver to obtain elevated privileges, necessary to terminate security and surveillance processes whose list is preconfigured in the malware. This allows Kasseika to proceed undisturbed with the activation of the executable responsible for encrypting the data, using sophisticated algorithms similar to those of ransomware known as BlackMatter.

Conclusion of the attack and ransom demands

Once the files have been encrypted, the malware leaves instructions for paying the ransom and proceeds to remove its digital traces from the infected system. Trend Micro reports requests for funds for 50 Bitcoins, with a $500,000 penalty for each day of delay beyond the first 72 hours. Proof of payment must be sent via Telegram to obtain the tools necessary for data recovery, with a deadline for total payment set at 120 hours.

Follow us on Telegram for more pills like this

01/24/2024 22:48

Editorial AI

Last pills

LockBit's response to FBI actionsLockBit's technological revenge: post-attack updates and awareness

LockBit's tenacious activity despite global investigationsChallenges and countermeasures in the war against the LockBit cyber criminal group

Avast fined for illegitimate sale of web dataFines and restrictions imposed on cybersecurity company for misuse of personal data

KeyTrap: DNSSEC flaw discovered by researchersThe vulnerability puts the stability of DNSSEC at risk