January 23, 2024 at 03:04PM
A ransomware operation called ‘Kasseika’ has emerged, employing Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus software before encrypting files. It abuses a vulnerable driver to disable antivirus products protecting the system. Similarities with BlackMatter indicate possible connections. Victims are given 72 hours to deposit 50 Bitcoins, with additional amounts added for delays.
From the meeting notes, the following key takeaways can be summarized:
1. Kasseika, a new ransomware operation, employs the Bring Your Own Vulnerable Driver (BYOVD) tactic to disable antivirus software before encrypting files.
2. Kasseika exploits the Martini driver to disable antivirus products protecting the targeted system.
3. Trend Micro discovered and examined Kasseika in December 2023, finding source code similarities with BlackMatter, indicating potential ties to the former ransomware group.
4. Kasseika’s attack chain involves phishing emails, abuse of the Windows PsExec tool, utilization of a digitally signed vulnerable driver, termination of antivirus processes, execution of ransomware binary, encryption of files, and dropping of a ransom note.
5. The ransomware demands a payment of 50 Bitcoins ($2,000,000) within 72 hours, with an additional $500,000 added every 24 hours of delay in resolution.
6. Victims are instructed to post a payment proof on a private Telegram group within 120 hours (5 days) to receive a decrypter.
7. Trend Micro has published indicators of compromise (IoCs) related to the Kasseika threat for reference.
These takeaways provide a clear understanding of Kasseika’s tactics, attack chain, and ransom demands, as well as the necessary steps to mitigate the threat using the provided IoCs.