Kasseika, a ransomware gang, has recently started using the Bring Your Own Vulnerable Driver (BYOVD) attack to disable security processes on compromised Windows hosts. This group has joined other well-known groups such as Akira, AvosLocker, BlackByte, and RobbinHood in employing this technique.
In their investigation, Trend Micro stated that the approach enables malicious individuals to terminate antivirus processes and services in order to spread ransomware.
Kasseika, initially identified by the cybersecurity company in mid-December 2023, shares similarities with the now-defunct BlackMatter group, which developed following the closure of DarkSide.
There is evidence indicating that the ransomware strain may have been created by a skilled individual or group who obtained or bought access to BlackMatter. This is supported by the fact that the source code of BlackMatter has not been publicly released since it ceased to exist in November 2021.
The attack sequences involving Kasseika begin with a phishing email to gain initial access, followed by the deployment of remote administration tools (RATs) to acquire privileged access and navigate horizontally within the targeted network.
The threat actors have been seen employing Microsoft’s Sysinternals PsExec command-line application to carry out a malicious batch script. This script verifies the presence of a process called “Martini.exe” and, if detected, terminates it to ensure that only one instance of the process is running on the PC.
The primary function of the executable is to retrieve and execute the “Martini.sys” driver from a remote server, with the purpose of disabling 991 security features. It is important to mention that “Martini.sys” is a valid digitally signed driver called “viragt64.sys” that has been included in Microsoft’s list of vulnerable drivers to be blocked.
The researchers highlighted the vital function of the Martini.sys driver in defensive evasion, stating that if it is absent, the malware will terminate itself and cease its intended routine.
After this stage, the ransomware payload named “smartscreen_protected.exe” is executed by “Martini.exe”. The payload is responsible for carrying out the encryption process using the ChaCha20 and RSA algorithms. However, before doing so, it terminates any programs and services that are currently using the Windows Restart Manager.
Subsequently, a ransom note is placed in each encrypted directory, while the computer’s wallpaper is altered to exhibit a message insisting on a payment of 50 bitcoins to a specified wallet address within a 72-hour timeframe. Failure to comply would result in an additional charge of $500,000 per day after the deadline has passed.
Additionally, the victims are required to upload a screenshot of the payment confirmation to a Telegram channel that is controlled by the perpetrator in order to obtain a decryptor.
The Kasseika ransomware possesses additional tactics, such as erasing evidence of its actions by utilizing the wevtutil.exe binary to delete the system’s event logs.
The researchers stated that the wevutil.exe command effectively purges the Application, Security, and System event logs on the Windows system. “This method is employed to carry out actions covertly, thereby increasing the difficulty for security tools to detect and counteract malicious activities.”
Palo Alto Networks Unit 42 has reported that the BianLian ransomware organization has transitioned from using a double extortion technique to conducting encryptionless extortion assaults. This change occurred after the availability of a free decryptor tool in early 2023.
BianLian has emerged as a prominent and ongoing threat organization since September 2022, primarily targeting the healthcare, manufacturing, professional, and legal services sectors in the United States, the United Kingdom, Canada, India, Australia, Brazil, Egypt, France, Germany, and Spain.
The primary methods employed by BianLian operators to breach corporate networks are the theft of Remote Desktop Protocol (RDP) credentials, exploitation of known security vulnerabilities such as ProxyShell, and the use of web shells.
In addition, the cybercriminal team exchanges a specialized tool built on the .NET framework with another ransomware gang known as Makop, indicating possible links between the two.
“BianLian, as described by security researcher Daniel Frank, is a .NET tool that performs the task of retrieving file enumeration, registry, and clipboard data.”
This tool includes several Russian words, including the numerals from one to four. The utilization of such a technology suggests that the two parties may have had a common set of tools or employed the services of the same developers previously.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.