Kasseika Ransomware Linked to BlackMatter in BYOVD Attack

A ransomware group potentially linked to the defunct BlackMatter gang has joined several other adversaries in deploying an emerging type of attack that can terminate antivirus (AV) processes and services for the deployment of ransomware.

Actors behind the Kasseika ransomware have been using a bring-your-own-vulnerable-driver (BYOVD) attack, one of a handful of groups that have adopted this method to deploy ransomware, researchers at Trend Micro revealed in a blog post published Jan. 23.

BYOVD is a technique that threat actors began using last year that renders some system defenses useless to pave the way for ransomware execution. Trend Micro cited Akira, BlackByte, and AvosLocker as ransomware groups using this type of attack, which generally exploits a vulnerability in a legitimate device driver to execute ransomware, escalate privileges, and bypass security controls.

"In this case we investigated, the Kasseika ransomware abused Martini driver to terminate the victim machine's antivirus-related processes," according to a post from a group of TrendMicro analysts and engineers.

Link to BlackMatter Ransomware

Though Kasseika is a relatively new to the ransomware scene, the majority of the source code used in the attack is the same as that used by BlackMatter, a dangerous ransomware-as-a-service (RaaS) group that respawned from another group, DarkSide, but was supposed to have ceased operations in 2021.

Since then, other groups seem to be keeping the ransomware alive, using similar techniques and tools to BlackMatter, but with Kasseika, a more exclusive group of operators have accessed its old code and apply it to new strains, according to Trend Micro. Indeed, "kasseika" means revitalization, rejuvenation, or resuscitation in Japanese.

"Based on our research, the BlackMatter source code is not widely available, so its use in this Kasseika ransomware attack is suggestive of a mature actor in a limited group that acquired or bought access to it," the researchers wrote.

Initial Entry and BYOVD Execution

In the Kasseika ransomware attack observed by Trend Micro, attackers used phishing techniques to steal credentials from an employee at its targeted company for initial access to the network. It then used remote administration tools (RATs) to gain privileged access and move laterally within the environment. 

To execute its ransomware payload, Kasseika abused the legitimate Windows RAT PsExec, which originally was designed for network management, but can be abused to remotely deploy a malicious .BAT file, which is what happened in this case.

For its BYOVD aspect, the attack exploited vulnerabilities in the targeted network's "Martini.sys" driver — part of VirIT Agent System developed by TG Soft — to disable various security tools that were present in the environment. If the driver does not exist in the environment, the malware will self-terminate and not proceed.

If the presence of Martini.sys is confirmed, Kasseika loads the Martini.sys driver through a Martini.exe file using the CreateFileW function. This proceeds to continuously scan all active processes in the system, terminating any antivirus products, security tools, analysis tools, and system utility tools that are present.

The Kasseika ransomware also discovers applications that are related to process monitoring, system monitoring, and analysis tools, leveling up its defense-evasion techniques by discovering active processes related to these activities and terminating itself if they are running into the system, the researchers noted.

Kasseika Ransomware Execution

The Kasseika ransomware is a 32-bit Windows PE file packed by Themida, which is used by attackers for its "formidable code obfuscation and anti-debugging techniques," making it hard to reverse-engineer the binaries, according to Trend Micro. 

Before encryption, Kasseika terminates all processes and services that are currently accessing Windows Restart Manager and then starts a new session to commence with the attack. The ransomware uses "ChaCha20" as its encryption algorithm key together with the RSA encryption algorithm from open source C++ library CryptoPP.

Kasseika then generates a modified version of the ChaCha20 matrix that consists of randomly generated bytes, which is then copied to a buffer that will be encrypted by the RSA public key. After this the encrypted buffer is written into the modified version of the ChaCha20 matrix, with the ransomware using this modified matrix to encrypt target files.    

After successful encryption, the Kasseika ransomware renames the encrypted files and  reuses the encrypted file extension as the name of its ransom note, CBhwKBgQD.README.txt, which Kasseika will drop in every encrypted directory.  At the end of its encryption routine, the Kasseika ransomware changes the wallpaper of the affected system. 

Further evasion attacks by the group use the command wevutil.exe to clear with efficiency the Application, Security, and System event logs on the Windows system. This makes it "more challenging for security tools to identify and respond to malicious activities," the researchers noted.

Defending Against Kasseika BYOVD

To defend against these types of BYOVD cyberattacks by Kasseika and other ransomware groups, Trend Micro recommends that organizations only grant employees administrative rights and access when necessary as well as ensure that security products are updated regularly and perform periodic scans.  Enterprises also should secure regular backups of critical data so they can recover quickly in case of an attack.

Further, to avoid having employees compromised by phishing — such as what happened in the Kasseika and many other attacks — organizations also should exercise good email- and website-safety practices and advise employees to only download attachments, select URLs, and execute programs from trusted sources. There also should be tools blocking malicious emails present on the network.

Other good security hygiene practices that organizations can implement for employees include encouraging them to alert the security team of potentially suspicious emails and files, and to conduct regular education and training sessions on the dangers and signals of social engineering.