Kasseika Ransomware Utilizes BYOVD to Neutralize Security Defenses Pre-Encryption

The ransomware group Kasseika has adopted the Bring Your Own Vulnerable Driver (BYOVD) attack strategy to disarm security-related processes on compromised Windows systems, aligning itself with similar tactics employed by groups like Akira, AvosLocker, BlackByte, and RobbinHood.

This tactic enables threat actors to terminate antivirus processes and services, creating an environment conducive to deploying ransomware, as outlined in the analysis. Kasseika, first identified by cybersecurity experts in mid-December 2023, shows similarities to the now-defunct BlackMatter, which emerged following the shutdown of DarkSide.

Evidence suggests that Kasseika might be the work of an experienced threat actor who acquired or purchased access to BlackMatter, considering that BlackMatter’s source code has not publicly leaked since its demise in November 2021.

Kasseika’s attack chains typically begin with a phishing email for initial access, followed by the deployment of remote administration tools (RATs) to gain privileged access and move laterally within the targeted network. The attackers employ Microsoft’s Sysinternals PsExec command-line utility to execute a malicious batch script. This script checks for the presence of a process named “Martini.exe” and terminates it if found, ensuring there is only one instance running on the machine.

The “Martini.exe” executable then downloads and runs the “Martini.sys” driver from a remote server to disable 991 security tools. Notably, “Martini.sys” is a legitimate signed driver named “viragt64.sys,” added to Microsoft’s vulnerable driver blocklist.

Following this step, “Martini.exe” launches the ransomware payload (“smartscreen_protected.exe”), initiating the encryption process using ChaCha20 and RSA algorithms. Before encryption, it kills all processes and services accessing Windows Restart Manager. A ransom note is left in each encrypted directory, and the computer’s wallpaper is altered to display a ransom demand of 50 bitcoins within 72 hours.

To further obfuscate their tracks, Kasseika wipes system event logs using the “wevtutil.exe” binary, making it more challenging for security tools to identify and respond to malicious activities.

In a related development, the BianLian ransomware group’s shift from double extortion schemes to encryptionless extortion attacks after the release of a free decryptor in early 2023. BianLian has been active since September 2022, targeting various sectors across the U.S., the U.K., Canada, India, Australia, Brazil, Egypt, France, Germany, and Spain.

The group commonly exploits stolen Remote Desktop Protocol (RDP) credentials, known vulnerabilities like ProxyShell, and web shells to infiltrate corporate networks. Furthermore, there are indications of a potential connection between BianLian and another ransomware group, Makop, as they share a custom .NET-based tool, suggesting collaboration or shared resources in the past.

To thwart ransomware attacks like those employing BYOVD tactics, users should maintain regular backups of critical data and ensure they are stored securely. Employing robust antivirus and anti-ransomware solutions, along with educating users on recognizing phishing attempts, adds an extra layer of defense. Additionally, keeping operating systems and software updated helps patch vulnerabilities that threat actors may exploit, thereby fortifying the overall security posture against ransomware attacks like Kasseika.