January 24, 2024 at 01:05PM
A new ransomware group, Kasseika, has adopted an emerging attack technique known as bring-your-own-vulnerable-driver (BYOVD) to deploy ransomware, bypassing security controls. The group exploited a legitimate device driver to terminate antivirus-related processes and execute ransomware. Kasseika’s advanced evasion techniques and code obfuscation make it a potent threat, necessitating robust defense strategies.
From the meeting notes, it appears that a ransomware group, potentially associated with the disassembled BlackMatter gang, has adopted a new technique called bring-your-own-vulnerable-driver (BYOVD) to deploy ransomware. This method is used to render system defenses ineffective and execute ransomware.
The Kasseika ransomware, a relatively new player in the ransomware scene, has been observed using BYOVD attacks. It leverages a technique that exploits a vulnerability in a legitimate device driver to terminate antivirus-related processes, escalate privileges, and bypass security controls.
Furthermore, Kasseika’s execution involves utilizing phishing techniques to gain initial access to a network, employing remote administration tools to gain privileged access, and using a legitimate Windows RAT, PsExec, to remotely deploy a malicious .BAT file. The ransomware also exploits vulnerabilities in the targeted network’s “Martini.sys” driver to disable security tools and continuously scan and terminate various processes within the system.
After successful encryption, Kasseika changes the wallpaper of the affected system and further attempts to evade detection by clearing event logs on the Windows system.
To defend against these types of cyberattacks, organizations are advised to limit employees’ administrative rights, ensure regular updating and scanning of security products, secure regular backups of critical data, and provide ongoing education and training on good email and website safety practices and social engineering awareness.
In summary, the meeting notes provide insights into the emergence of a new ransomware technique and offer recommendations for organizations to enhance their cybersecurity posture against such attacks.