The Kasseika ransomware exploits an antivirus driver to kill other antiviruses.

A freshly discovered ransomware operation called 'Kasseika' has joined the ranks of threat actors who use Bring Your Own Vulnerable Driver (BYOVD) techniques to disable antivirus protection before encrypting files.

Kasseika exploits the Martini driver (Martini.sys/viragt64.sys), a component of TG Soft's VirtIT Agent PC, to disable antivirus software on the targeted PC.

Kasseika attack chain

Kasseika attacks begin with a phishing email sent to employees of the targeted firm in an attempt to obtain their account credentials, which are subsequently used to gain initial access to the corporate network.

Next, Kasseika operators utilize the Windows PsExec program to execute malicious.bat files on the infected machine as well as other systems they have gained access to via lateral movement.

To avoid interference, the batch file checks for the presence of the 'Martini.exe' process and terminates it. It then downloads the vulnerable 'Martini.sys' driver onto the PC.

The presence of that driver is critical in the attack chain since Kasseika will not continue if the 'Martini' service creation fails or 'Martini.sys' is not found on the system.

By employing BYOVD assaults, or exploiting weaknesses in the loaded driver, the malware gets the ability to terminate 991 processes from a hardcoded list, many of which match to antivirus products, security tools, analytical tools, and system utilities.

Kasseika eventually runs Martini.exe to stop antivirus processes before launching the main ransomware program (smartscreen_protected.exe). Following that, it executes the 'clear.bat' script to delete attack traces.

The ransomware encrypts target files using the ChaCha20 and RSA encryption techniques, appending a pseudo-random string to the filenames, akin to BlackMatter.

Kasseika leaves a ransom note in each directory it has encrypted and modifies the computer's wallpaper to convey a message about the attack.

Finally, Kasseika clears system event logs after encryption, utilizing commands like 'wevutil.exe' to remove evidence of its actions and complicate security research.

In the attacks observed by Trend Micro, victims were given 72 hours to deposit 50 Bitcoins ($2,000,000), with another $500,000 added for every 24 hours of delay in resolution.

To receive a decrypter, the victims must send a snapshot of payment proof to a private Telegram group within 120 hours (5 days).

Trend Micro has disclosed indicators of compromise (IoCs) for the Kasseika threat individually in this text file.

Source: Bleeping Computer