Experts have identified a new variant of ransomware that uses a vulnerable, outdated driver to impersonate an antivirus program, remove all real security programs on the computer, and then infect the device.
Researchers named the variant Kasseika and believe it is related to an old malware variant that disappeared years ago: BlackMatter.
In a report, cybersecurity experts at Trend Micro claim that the attack campaign begins with a phishing email that aims to steal login credentials. The attackers would then use the access to remove Kasseika, whose first task is to kill a process called Martini.exe. The second step is to download the vulnerable driver called Martini.sys.
Does BlackMatter live?
This Martini.sys file is essential to the success of the campaign, they argue, as the malware will not continue if the file is not located on the compromised endpoint. If the download is successful, Martini.sys is used to disable installed antivirus products. The ransomware comes with a coded list of 991 processes that need to be terminated. Most of them relate to antivirus products, security tools, scanning tools and system utilities, it was said.
After removing the security programs, Kasseika will run the encryptor. The last step is to run a clear.bat script, removing all traces of the attack.
Ransomware victims will see a new desktop background image notifying them of the attack. They will also receive a ransom note, demanding 50 Bitcoin (approximately $2 million at current prices) within 72 hours in exchange for access to the encrypted devices. Each additional day (up to five days, maximum) will cost $500,000 more.
Trend Micro believes that Kasseika is similar to BlackMatter, a ransomware variant that disappeared in 2021. Since its source code was never published, researchers believe that Kasseika was created by the same people or someone managed to purchase the source code from the dark web. .
Through beepcomputer
