Kasseika is a relatively new ransomware that has been causing significant damage by exploiting the Martini driver to terminate antivirus-related processes on victim machines, according to TrendMicro analysts. This malware shares much of its source code with BlackMatter, a dangerous ransomware-as-a-service (RaaS) group that evolved from DarkSide and supposedly ceased operations in 2021. However, the use of BlackMatter's code, which isn't widely available, suggests that Kasseika is being operated by a mature actor within a limited group that has access to it.
The operators behind Kasseika have adopted a bring-your-own-vulnerable-driver (BYOVD) attack method, making them one of the few groups using this technique to deploy ransomware. To avoid falling prey to such attacks, organizations are advised to exercise good email and website safety practices, only grant necessary administrative rights to employees, keep security products updated, and perform regular scans. The Kasseika ransomware alters the wallpaper of affected systems post-encryption and renames encrypted files, leaving a ransom note named CBhwKBgQD.README.txt in each encrypted directory.
The Kasseika ransomware operates as a 32-bit Windows PE file packed by Themida, known for its robust code obfuscation and anti-debugging techniques, making reverse-engineering of the binaries challenging. It identifies applications related to process monitoring, system monitoring, and analysis tools, enhancing its defense-evasion techniques by terminating itself if these processes are active. To execute its payload, Kasseika abuses the legitimate Windows RAT PsExec to remotely deploy a malicious .BAT file.