New "Kasseika" ransomware tactic discovered

Trend Micro experts recently identified an insidious ransomware variant dubbed "Kasseika". This malware uses a technique known as BYOVD (Bring Your Own Vulnerable Driver) to disable antivirus programs before encrypting data. The assault usually begins with a phishing email aimed at employees of the target organization, aiming to obtain credentials to infiltrate the company network.

Kasseika deployment and action phase

Following the initial breach, Kasseika used PsExec, a native Windows tool, to execute a malicious .bat file in order to extend its reach within the network. This script is dedicated to finding and closing a specific process, "Martini.exe", so as to prevent protective interventions. The crucial phase involves downloading and activating "Martini.sys", a vulnerable driver part of the VirtIT Agent System antivirus, without which the ransomware would not proceed.

Preparing for data encryption

The attack continues with the abuse of the vulnerable driver to obtain elevated privileges, necessary to terminate security and surveillance processes whose list is preconfigured in the malware. This allows Kasseika to proceed undisturbed with the activation of the executable responsible for encrypting the data, using sophisticated algorithms similar to those of ransomware known as BlackMatter.

Conclusion of the attack and ransom demands

Once the files have been encrypted, the malware leaves instructions for paying the ransom and proceeds to remove its digital traces from the infected system. Trend Micro reports requests for funds for 50 Bitcoins, with a $500,000 penalty for each day of delay beyond the first 72 hours. Proof of payment must be sent via Telegram to obtain the tools necessary for data recovery, with a deadline for total payment set at 120 hours.