Kasseika

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Kasseika is a relatively new ransomware that has been causing significant damage by exploiting the Martini driver to terminate antivirus-related processes on victim machines, according to TrendMicro analysts. This malware shares much of its source code with BlackMatter, a dangerous ransomware-as-a-service (RaaS) group that evolved from DarkSide and supposedly ceased operations in 2021. However, the use of BlackMatter's code, which isn't widely available, suggests that Kasseika is being operated by a mature actor within a limited group that has access to it. The operators behind Kasseika have adopted a bring-your-own-vulnerable-driver (BYOVD) attack method, making them one of the few groups using this technique to deploy ransomware. To avoid falling prey to such attacks, organizations are advised to exercise good email and website safety practices, only grant necessary administrative rights to employees, keep security products updated, and perform regular scans. The Kasseika ransomware alters the wallpaper of affected systems post-encryption and renames encrypted files, leaving a ransom note named CBhwKBgQD.README.txt in each encrypted directory. The Kasseika ransomware operates as a 32-bit Windows PE file packed by Themida, known for its robust code obfuscation and anti-debugging techniques, making reverse-engineering of the binaries challenging. It identifies applications related to process monitoring, system monitoring, and analysis tools, enhancing its defense-evasion techniques by terminating itself if these processes are active. To execute its payload, Kasseika abuses the legitimate Windows RAT PsExec to remotely deploy a malicious .BAT file.
What's your take? (Question 1 of 4)
9d888ee6-0d71-44b0-a4c1-af0309325453 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Phishing
Windows
Encryption
Ransom
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Kasseika Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
4 months ago
Kasseika Ransomware Linked to BlackMatter in BYOVD Attack