Ransomware, a type of malware used to demand payment in exchange for unlocking encrypted data, has become a significant threat to individuals, businesses, and governments. By exploiting the vulnerabilities of systems and encrypting sensitive information, hackers are able to extort money, often in the form of bitcoin, from their targets.
Recently, cybersecurity researchers at Trend Micro made a significant discovery in the ongoing battle against ransomware. They found that threat actors are using new methods to disable antivirus programs and are actively exploiting the driver functionality to go undetected and carry out their malicious activities.
One notable example of this trend is the Kasseika ransomware, which has been causing havoc since 2023. This strain of ransomware has joined the BYOVD (Bring Your Own Vulnerability Driver) trend, following in the footsteps of other notorious ransomware variants such as Akira, BlackByte, and AvosLocker. Kasseika has been employing the Martini driver to disable antivirus programs, reminiscent of the infamous BlackMatter ransomware with pseudo-ransom extensions.
The emergence of Kasseika ransomware is a troubling development, as it suggests the involvement of a mature actor with access to BlackMatter’s source code, which had been previously linked to cybercriminal groups like DarkSide and ALPHV. Since BlackMatter’s shutdown in 2021, other exclusive ransomware groups have been adapting the old code to create new, more powerful strains.
Kasseika ransomware has a sophisticated modus operandi, employing targeted phishing for initial access and utilizing PsExec to move laterally within networks. It exploits Martini.sys to disable security tools, terminates processes, and uses security-related processes. Additionally, the ransomware employs a variety of techniques to evade detection and cover its tracks, making it a particularly challenging threat to eradicate.
Countermeasures against ransomware attacks are essential to protect against these increasingly sophisticated threats. Fundamental recommendations include granting admin rights only when necessary, regularly updating security products and performing scans, securing backups for critical data, practicing safe email and website habits, encouraging the reporting of suspicious emails and files, and educating users on social engineering risks regularly. Furthermore, organizations can enhance security through a multi-layered strategy that covers endpoints, email, web, and network entry points, and detect malicious components and suspicious behavior by implementing robust security solutions.
The battle against ransomware is an ongoing challenge, and the recent developments in the form of the Kasseika ransomware indicate that threat actors are continuously evolving and finding new ways to exploit vulnerabilities for financial gain. It is crucial for individuals and organizations to stay vigilant, adopt best practices for cybersecurity, and leverage advanced security solutions to mitigate the risk of falling victim to these malicious attacks.