Blog

25 January 2024

Decoding Kasseika Ransomware: BYOVD Attack Strategy and Evolving Threat Landscape

In the intricate dance between cybercriminals and cybersecurity defenders, ransomware stands out as a formidable and continually evolving adversary. This blog post embarks on a comprehensive exploration of the latest tactics employed by the Kasseika ransomware group, focusing on their utilization of the Bring Your Own Vulnerable Driver (BYOVD) attack to subvert security measures on compromised Windows hosts.

Background: The Enigmatic Origins of Kasseika

Around mid-December 2023, cybersecurity analysts detected the emergence of a new player in the ransomware arena—Kasseika. Strikingly, this malevolent entity exhibits intriguing overlaps with the now-defunct BlackMatter, a group that surfaced in the wake of DarkSide's demise. Speculations arise regarding Kasseika's potential connections to an adept threat actor who may have acquired or purchased access to BlackMatter, leveraging its source code for nefarious purposes.

The BYOVD Attack Tactic: A Closer Look at Disarming Security Measures

BYOVD, an acronym for Bring Your Own Vulnerable Driver, has become the weapon of choice for ransomware groups seeking to neutralize security protocols. Kasseika joins the ranks of notorious entities like Akira, AvosLocker, BlackByte, and RobbinHood in leveraging this attack vector. The essence of BYOVD lies in its ability to empower threat actors to terminate antivirus processes and services, creating a vulnerable window conducive to the unimpeded deployment of ransomware.

Attack Chain: Unraveling the Phishing to Ransomware Execution Sequence

Kasseika's modus operandi unfolds in a meticulously orchestrated attack chain, commencing with a phishing email designed to lure unsuspecting victims. Once successful, the threat actors pivot to dropping remote administration tools (RATs) within the compromised environment. These tools serve as the conduits for gaining privileged access and lateral movement within the target network. Notably, Microsoft's Sysinternals PsExec command-line utility emerges as a pivotal tool in the hands of the assailants, facilitating the execution of a malicious batch script.

Execution of Malicious Batch Script: The Martini Connection Exposed

At the heart of Kasseika's operations lies a malicious batch script that serves as the linchpin in their attack chain. This script is programmed to conduct a critical check for the existence of a process named "Martini.exe." If detected, the script promptly terminates this process. Subsequently, the script proceeds to download and execute the "Martini.sys" driver from a remote server. Intriguingly, this driver bears the ostensibly innocuous name "viragt64.sys" but has found its place on Microsoft's vulnerable driver blocklist. The primary function of this driver is to disable a staggering 991 security tools, rendering the system susceptible to the impending ransomware onslaught.

Ransomware Payload: Unveiling ChaCha20, RSA, and Encryption Tactics

With security measures effectively disarmed, the next stage in Kasseika's offensive unfolds as "Martini.exe" unleashes the ransomware payload encapsulated within "smartscreen_protected.exe." The ransomware employs a potent combination of ChaCha20 and RSA algorithms to initiate the encryption process. Notably, prior to encrypting files, the ransomware meticulously terminates all processes and services that may be accessing Windows Restart Manager, ensuring a streamlined and uninterrupted encryption process.

Ransom Note and Cryptocurrency Extortion Strategies: A Digital Shakedown

In the aftermath of the encryption spree, Kasseika leaves its unmistakable mark by depositing a ransom note in every directory that has fallen victim to its cryptographic clutches. Additionally, the assailants modify the victim's wallpaper to display a brazen demand for a 50 bitcoin payment to a specified wallet address. To add urgency and pressure, a tight 72-hour deadline is imposed, with a warning of incurring an additional $500,000 penalty every 24 hours post-deadline for non-compliance. This cryptocurrency extortion strategy has become a hallmark of modern ransomware operations.

Evasion Techniques: The Art of Digital Concealment

To further complicate detection and response efforts, Kasseika employs sophisticated evasion techniques. One such tactic involves the strategic clearing of digital footprints by utilizing the wevtutil.exe binary to wipe the system's event logs. This meticulous erasure of activity traces across the Application, Security, and System event logs on the Windows system aims to operate discreetly, making it considerably more challenging for security tools to identify and respond to malicious activities promptly.

Examples and Evidences:

  1. Example: BYOVD Attack Tactics in the Wild

Evidence: In recent cyber incidents, ransomware groups like BlackMatter and REvil have been observed employing techniques that disable security measures on compromised systems. While the specific term "BYOVD" may not have been explicitly used, the essence of bringing in vulnerable drivers or exploiting existing system vulnerabilities to disarm security tools has been witnessed.

For instance, in the case of the REvil ransomware attack on Kaseya in July 2021, the attackers exploited a zero-day vulnerability in the Kaseya VSA software, allowing them to disable security features and distribute ransomware to numerous managed service providers (MSPs) and their clients.

  1. Example: Sophisticated Evasion Techniques

Evidence: Ransomware groups often employ advanced evasion techniques to avoid detection and hinder incident response efforts. The use of legitimate tools and signed drivers can contribute to the success of these techniques.

The NotPetya ransomware attack in 2017 is a notable example. The attackers used the legitimate Windows management tool PsExec to propagate within networks, allowing them to move laterally and escalate privileges. By leveraging legitimate tools, the attackers avoided raising suspicion and delayed detection.

  1. Example: Cryptocurrency Extortion Strategies

Evidence: Cryptocurrency payments, especially in Bitcoin, have become the preferred method for ransomware extortion. Many ransomware groups demand payments in cryptocurrency due to its pseudonymous nature and the difficulty of tracing transactions.

The WannaCry ransomware attack in 2017 demanded payments in Bitcoin and affected organizations worldwide. The widespread impact and the use of cryptocurrency highlighted the efficacy of such extortion strategies for cybercriminals.

  1. Example: Clearing Digital Footprints

Evidence: Ransomware groups often engage in activities to erase digital footprints, making it challenging for defenders to trace their actions. This includes clearing event logs and other traces of malicious activities.

In the case of the SamSam ransomware attacks in 2018, the attackers were known to delete backups and clear logs to hinder recovery efforts. This deliberate attempt to erase evidence showcased a sophisticated understanding of incident response processes.

 

Conclusion: Navigating the Complexities of the Cyber Threat Landscape

As we wrap up our examination of the fictional narrative surrounding "Decoding Kasseika Ransomware: BYOVD Attack Strategy and Evolving Threat Landscape," the connections drawn to real-world incidents underscore the imperative for organizations, such as digiALERT, to strengthen their defenses against the ever-evolving wave of cyber threats.

In the dynamic terrain of cyber threats, the hypothetical emergence of Kasseika sheds light on the advancing sophistication of ransomware tactics. Although the BYOVD attack strategy is presented fictitiously, it mirrors the plausible challenges faced by organizations in dealing with the perpetual evolution of threat actors.

Drawing from historical incidents, the examples provided serve as cautionary tales and valuable lessons for organizations like digiALERT:

Proactive Defense Measures: The ascent of BYOVD and similar tactics emphasizes the necessity of a proactive defense approach. Remaining ahead of threat actors involves continuous monitoring, gathering threat intelligence, and implementing robust security measures.

Collaborative Vigilance: The interconnected nature of the digital landscape necessitates heightened collaboration. Organizations, including digiALERT, should actively engage with the cybersecurity community, share threat intelligence, and participate in information-sharing platforms to collectively fortify defenses.

Adaptability and Learning: Real-world examples demonstrate that threat actors adapt and refine their tactics. Organizations must foster a culture of learning, adaptability, and resilience. Regular training and simulations enhance preparedness for emerging threats.

Cryptocurrency Risk Mitigation: The reliance on cryptocurrency for ransom payments underscores the need for enhanced strategies to mitigate this risk. Collaboration with financial institutions, regulatory bodies, and law enforcement can contribute to developing robust frameworks for tracking and preventing illicit cryptocurrency transactions.

Digital Forensics and Incident Response (DFIR): As threat actors employ sophisticated evasion techniques, investing in DFIR capabilities becomes paramount. Organizations, including digiALERT, should focus on enhancing their ability to conduct thorough digital forensics, preserve evidence, and respond swiftly to mitigate the impact of ransomware incidents.

In essence, the digital landscape requires a unified approach against cyber threats. DigiALERT, as a proactive participant in the digital security domain, must continue refining its services, collaborating with industry partners, and leveraging the latest technologies to empower organizations in the face of evolving ransomware threats.

The narrative of Kasseika serves as a reminder that cybersecurity is not a static endeavor but an ongoing, adaptive journey. By embracing innovation, knowledge-sharing, and collaborative defense strategies, digiALERT can significantly contribute to a more resilient and secure digital ecosystem. The threat landscape may evolve, but with a collective commitment to cybersecurity, organizations can navigate the challenges posed by emerging adversaries.

Read 333 times Last modified on 25 January 2024

Information

digiALERT is a rapidly growing new-age premium cyber security services firm. We are also the trusted cyber security partner for more than 500+ enterprises across the globe. We are headquartered in India, with offices in Santa Clara, Sacremento , Colombo , Kathmandu, etc. We firmly believe as a company, you focus on your core area, while we focus on our core area which is to take care of your cyber security needs.