The emergence of a new type of ransomware attack has been discovered by researchers at Trend Micro, who have linked it to a potentially defunct gang known as BlackMatter. The group behind the Kasseika ransomware is using a technique called bring-your-own-vulnerable-driver (BYOVD) to successfully deploy their ransomware and evade antivirus processes and services.
Trend Micro’s blog post revealed that Kasseika is one of several groups utilizing this BYOVD attack method, with other ransomware groups Akira, BlackByte, and AvosLocker also employing similar tactics. BYOVD exploits vulnerabilities in legitimate device drivers to execute ransomware, gain escalated privileges, and bypass security controls. In the case of Kasseika, the ransomware abused the Martini driver to terminate antivirus-related processes on infected machines.
Despite being a new player in the ransomware scene, Kasseika appears to have borrowed heavily from BlackMatter’s source code. Interestingly, the group’s name, “kasseika,” means revitalization, rejuvenation, or resuscitation in Japanese, suggesting that they may have acquired or bought access to the previously defunct BlackMatter’s source code from a limited group of mature actors.
In a recent attack observed by Trend Micro, Kasseika utilized phishing techniques to steal credentials from an employee at a targeted company, gaining initial access to the network. Using remote administration tools (RATs) to move laterally within the environment, Kasseika then executed its ransomware payload by abusing the legitimate Windows RAT PsExec to remotely deploy a malicious .BAT file.
To execute its BYOVD attack, the group exploited vulnerabilities in the targeted network’s “Martini.sys” driver, disabling various security tools in the environment. If the driver is not present, the malware will self-terminate and not proceed. Furthermore, Kasseika uses evasion techniques to terminate active processes related to process monitoring, system monitoring, and analysis tools to avoid detection.
The Kasseika ransomware itself utilizes formidable code obfuscation and anti-debugging techniques, making it challenging to reverse-engineer the binaries. The ransomware terminates all processes and services accessing the Windows Restart Manager before encrypting files and dropping a ransom note in every encrypted directory.
To defend against BYOVD cyberattacks like those used by Kasseika and other ransomware groups, Trend Micro recommends that organizations limit administrative rights and access, ensure security products are updated regularly, and secure regular backups of critical data. It’s also important for organizations to implement good email- and website-safety practices to prevent phishing attacks, and to educate employees on the dangers of social engineering.
Ultimately, the emergence of Kasseika and its innovative BYOVD attack serves as a reminder of the importance of maintaining robust cybersecurity practices in the face of evolving threats. As cybercriminals continue to adapt and develop new tactics, organizations must remain vigilant and proactive in their efforts to protect their data and systems from malicious attacks.