New "Kasseika" ransomware tactic discovered
Advanced Kasseika ransomware attack methodology evades digital defenses
A ransomware variant called Kasseika uses a vulnerable driver to disable antivirus and encrypt data. It starts with an email scam and then spreads across the internet. Demands 50 Bitcoin ransom.
Trend Micro experts recently identified an insidious ransomware variant dubbed "Kasseika". This malware uses a technique known as BYOVD (Bring Your Own Vulnerable Driver) to disable antivirus programs before encrypting data. The assault usually begins with a phishing email aimed at employees of the target organization, aiming to obtain credentials to infiltrate the company network.
Kasseika deployment and action phase
Following the initial breach, Kasseika used PsExec, a native Windows tool, to execute a malicious .bat file in order to extend its reach within the network. This script is dedicated to finding and closing a specific process, "Martini.exe", so as to prevent protective interventions. The crucial phase involves downloading and activating "Martini.sys", a vulnerable driver part of the VirtIT Agent System antivirus, without which the ransomware would not proceed.
Preparing for data encryption
The attack continues with the abuse of the vulnerable driver to obtain elevated privileges, necessary to terminate security and surveillance processes whose list is preconfigured in the malware. This allows Kasseika to proceed undisturbed with the activation of the executable responsible for encrypting the data, using sophisticated algorithms similar to those of ransomware known as BlackMatter.
Conclusion of the attack and ransom demands
Once the files have been encrypted, the malware leaves instructions for paying the ransom and proceeds to remove its digital traces from the infected system. Trend Micro reports requests for funds for 50 Bitcoins, with a $500,000 penalty for each day of delay beyond the first 72 hours. Proof of payment must be sent via Telegram to obtain the tools necessary for data recovery, with a deadline for total payment set at 120 hours.
Follow us on Instagram for more pills like this01/24/2024 22:48
Marco Verro