Kasseika ransomware has adopted sophisticated tactics to evade antivirus software during its attacks. Utilizing Bring Your Own Vulnerable Driver (BYOVD) techniques, the ransomware exploits the Martini driver, specifically Martini.sys/viragt64.sys, part of TG Soft’s VirtIT Agent System, to disable antivirus products protecting the targeted system. Trend Micro, the cybersecurity firm that identified Kasseika in December 2023, highlights its attack chains and source code similarities with BlackMatter, suggesting a potential connection. Kasseika’s attack chain involves phishing emails, Martini driver vulnerabilities, and BYOVD attacks to gain access, terminate antivirus processes, and encrypt files using ChaCha20 and RSA encryption algorithms.
The Kasseika ransomware operation initiates attacks through phishing emails targeting employees of the intended organization, aiming to steal account credentials for initial network access. Operators then employ the Windows PsExec tool to execute malicious .bat files on infected systems, utilizing lateral movement. A crucial step involves checking for the presence of the ‘Martini.exe’ process, terminating it to avoid interference, and downloading the ‘Martini.sys’ driver. Kasseika relies on BYOVD attacks to exploit flaws in the loaded driver, granting privileges to terminate specific processes, including antivirus products and security tools. The ransomware ultimately encrypts files, appends a pseudo-random string to filenames, demands a ransom in Bitcoin, and provides a decrypter upon payment proof.
Victims of Kasseika are given a 72-hour window to deposit 50 Bitcoins (approximately $2,000,000), with an additional $500,000 added for each 24-hour delay in resolution. A private Telegram group is used for communication, and victims must post a screenshot of payment proof to receive a decrypter. The ransomware also alters the computer’s wallpaper and drops a ransom note in every encrypted directory. Trend Micro emphasizes the importance of understanding Kasseika’s tactics, as it showcases the evolving and sophisticated strategies employed by ransomware operators to bypass security measures. The cybersecurity firm has published indicators of compromise (IoCs) related to the Kasseika threat for identification and mitigation.
