June 19, 2024
By Cybervergent Team

Bring Your Own Vulnerable Driver

Its raining “ransomware in the new year!

The notorious Kasseika has unleashed a cunning game-changer – the BYOVD Trick! It’s the ultimate sneak attack, disarming security measures pre-encryption and leaving defenses in its pixelated dust. Kasseika, a ransomware faction, has jumped on the Bring Your Own Vulnerable Driver (BYOVD) bandwagon, employing this tactic to neutralize security processes on compromised Windows systems. This aligns them with groups such as Akira, AvosLocker, BlackByte, and RobbinHood.

According to a recent analysis by Trend Micro, this maneuver enables threat actors to swiftly disable antivirus processes and services, creating a pathway for the seamless deployment of ransomware. Unveiled by the cybersecurity firm in mid-December 2023, Kasseika shows striking resemblances to the now-defunct BlackMatter, a presence that surfaced following the shutdown of DarkSide. Signs point to the possibility that this ransomware variant might be the creation of a seasoned threat actor who gained access to or acquired BlackMatter. This assumption arises from the fact that BlackMatter’s source code has not surfaced publicly since its demise in November 2021.

Kasseika’s attack sequences kick off with a phishing email, serving as the gateway for initial access. Following this, the ransomware group deploys remote administration tools (RATs) to secure privileged access and maneuver laterally across the targeted network.

The attackers were seen employing Microsoft’s Sysinternals PsExec command-line tool to run a malevolent batch script. This script checks for the presence of a process named “Martini.exe” and, if detected, terminates it to ensure only one instance of the process is active on the machine.

The main function of the executable is to fetch and execute the “Martini.sys” driver from a remote server, aiming to disable 991 security tools. It’s crucial to note that “Martini.sys” is a legitimate signed driver, named “viragt64.sys,” now on Microsoft’s vulnerable driver blocklist.

If “Martini.sys” is absent, the malware terminates itself, emphasizing the driver’s pivotal role in defense evasion. Subsequently, “Martini.exe” initiates the ransomware payload (“smartscreen_protected.exe”), employing ChaCha20 and RSA algorithms for encryption. This occurs after terminating all processes and services accessing Windows Restart Manager. The ransomware leaves a ransom note in each encrypted directory, altering the computer’s wallpaper to display a demand for a 50-bitcoin payment within 72 hours. Failure to meet the deadline results in an additional $500,000 charge every 24 hours.

To receive a decryptor, victims must share a screenshot of their payment in an actor-controlled Telegram group. Kasseika ransomware employs additional tactics, such as erasing traces of its actions by utilizing the wevtutil.exe binary to clear the system’s Application, Security, and System event logs.

According to researchers, this command is adept at discreetly operating, heightening the challenge for security tools to detect and counter malicious activities.

MITIGATIONS

  • Limit employee administrative rights and access to essential needs.
  • Keep security products up to date with regular scans.
  • Safeguard crucial data through consistent and secure backups.
  • Practice caution with emails and websites – trust attachments, URLs, and programs only from reliable sources.
  • Promptly report suspicious emails and files to the security team, utilizing tools to block malicious content.
  • Educate users regularly on social engineering risks and warning signs