AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

New "Kasseika" ransomware tactic discovered

Advanced Kasseika ransomware attack methodology evades digital defenses

A ransomware variant called Kasseika uses a vulnerable driver to disable antivirus and encrypt data. It starts with an email scam and then spreads across the internet. Demands 50 Bitcoin ransom.

This pill is also available in Italian language

Trend Micro experts recently identified an insidious ransomware variant dubbed "Kasseika". This malware uses a technique known as BYOVD (Bring Your Own Vulnerable Driver) to disable antivirus programs before encrypting data. The assault usually begins with a phishing email aimed at employees of the target organization, aiming to obtain credentials to infiltrate the company network.

Kasseika deployment and action phase

Following the initial breach, Kasseika used PsExec, a native Windows tool, to execute a malicious .bat file in order to extend its reach within the network. This script is dedicated to finding and closing a specific process, "Martini.exe", so as to prevent protective interventions. The crucial phase involves downloading and activating "Martini.sys", a vulnerable driver part of the VirtIT Agent System antivirus, without which the ransomware would not proceed.

Preparing for data encryption

The attack continues with the abuse of the vulnerable driver to obtain elevated privileges, necessary to terminate security and surveillance processes whose list is preconfigured in the malware. This allows Kasseika to proceed undisturbed with the activation of the executable responsible for encrypting the data, using sophisticated algorithms similar to those of ransomware known as BlackMatter.

Conclusion of the attack and ransom demands

Once the files have been encrypted, the malware leaves instructions for paying the ransom and proceeds to remove its digital traces from the infected system. Trend Micro reports requests for funds for 50 Bitcoins, with a $500,000 penalty for each day of delay beyond the first 72 hours. Proof of payment must be sent via Telegram to obtain the tools necessary for data recovery, with a deadline for total payment set at 120 hours.

Follow us on Instagram for more pills like this

01/24/2024 22:48

Marco Verro

Last pills

Hacker attack in Lebanon: Hezbollah under fireTechnological shock and injuries: cyber warfare hits Hezbollah in Lebanon

Data breach: Fortinet faces new hack, 440GB of stolen informationFortinet under attack: hackers breach security and make information public. discover the details and the consequences for the privacy of involved users

Shocking cyber espionage discoveries: nation-state threatsHow state-of-state cyberwarfare is changing the game in the tech industry: Details and analysis of recent attacks

A new era for Flipper Zero with firmware 1.0Discover the revolutionary features of Flipper Zero firmware 1.0: performance improvements, JavaScript, and enhanced connectivity