January 23, 2024 at 03:14AM
The Kasseika ransomware group has been observed deploying BYOVD attacks, utilizing PsExec and exploiting Martini driver. It is suggested that the group may have acquired access to the source code of BlackMatter ransomware. The attack chain involves targeted phishing for initial access followed by remote administration tools and defense evasion techniques. Security recommendations are provided for organizations to minimize the risk of such attacks.
Based on the provided meeting notes, the key takeaways are as follows:
– The Kasseika ransomware has been identified as part of the trend of bring-your-own-vulnerable-driver (BYOVD) attacks.
– It has been observed abusing the Martini driver to terminate antivirus-related processes on victim machines.
– Indicators suggest that the Kasseika ransomware has acquired access to the source code of the BlackMatter ransomware, indicating a mature actor in a limited group.
– The ransomware employs targeted phishing techniques for initial access and uses remote administration tools to gain privileged access within target networks.
– It also misuses legitimate Windows RAT PsExec for execution.
– Kasseika’s defense evasion techniques involve terminating processes related to security and analysis tools, and it also deletes shadow copies of the affected system.
– The Kasseika ransomware is a 32-bit Windows PE file packed by Themida, making it difficult to reverse-engineer.
– It employs ChaCha20 encryption algorithm for file encryption and changes the wallpaper of infected machines with its ransom note.
– The ransomware is capable of wiping its traces by clearing the system’s event logs through execution of specific commands.
– To minimize the risk of falling victim to similar ransomware attacks, organizations are advised to employ measures such as granting employees administrative rights and access only when necessary, regularly updating security products, securing regular backups of critical data, exercising good email and website safety practices, and conducting regular user education about the dangers and signals of social engineering.
– Security solutions such as Trend Vision One™, Trend Cloud One™ – Workload Security, Trend Micro™ Deep Discovery™ Email Inspector, and Trend Micro Apex One™ are recommended for multilayered protection and behavior detection to help protect enterprises against such ransomware attacks.
Additionally, it has been provided that a list of indicators of compromise related to the Kasseika ransomware can be found in a separate document.
Let me know if you require further information or have any specific questions related to the meeting notes.