January 24, 2024 at 07:06AM
Kasseika, a new ransomware group, has adopted the Bring Your Own Vulnerable Driver (BYOVD) attack to evade security processes on Windows hosts, demonstrating similarities with the now-defunct BlackMatter. Their attack chain begins with a phishing email, followed by deploying remote administration tools and executing a malicious batch script. The ransomware disrupts processes and services to encrypt files and demand a 50 bitcoin ransom. In parallel, BianLian ransomware group has shifted to encryptionless extortion attacks and shares a .NET tool with another ransomware group, indicating potential connections between the two.
From the meeting notes, we can gather that the ransomware group Kasseika has recently utilized a tactic known as the Bring Your Own Vulnerable Driver (BYOVD) attack to execute ransomware on compromised Windows hosts. This tactic works by terminating antivirus processes and services, allowing for the deployment of ransomware. Kasseika is suspected to be associated with the now-defunct BlackMatter, possibly acquiring access to its source code post its shut down.
The attack chain typically involves a phishing email for initial access, followed by the use of remote administration tools to gain privileged access within the target network. The threat actors then employ the Sysinternals PsExec command-line utility to execute a malicious batch script, which checks for and terminates a specific process named “Martini.exe.” Following this, the ransomware payload is launched, encrypting files and demanding a 50 bitcoin payment within 72 hours, with additional penalties for delayed payment.
In addition to these tactics, Kasseika also uses methods to evade detection and response by security tools, such as leveraging a legitimate signed driver named “viragt64.sys” to disable security tools, modifying the computer’s wallpaper, and clearing the system’s event logs.
Another notable point raised in the meeting notes is the shift of the BianLian ransomware group from double extortion schemes to encryptionless extortion attacks. BianLian has been particularly active in targeting various sectors in multiple countries, utilizing stolen RDP credentials, known security flaws, and web shells as common attack routes.
Furthermore, there appears to be a potential connection between the BianLian ransomware group and another group tracked as Makop, as they share a custom .NET-based tool. This tool is involved in retrieving file enumeration, registry, and clipboard data.
The meeting notes also mention the association of other ransomware groups such as Akira, AvosLocker, BlackByte, RobbinHood, and DarkSide throughout the discussion.
It’s important to emphasize that the information shared in the meeting notes highlights the evolving and sophisticated nature of ransomware attacks, underscoring the need for robust cybersecurity measures.