Kassika Ransomware Gang Emerges with Signs of Familiarity

  |  Source: 
Trend Micro

Kassika Ransomware Gang Emerges with Signs of Familiarity

Within the ever-evolving ransomware threat landscape, a recent addition has surfaced in the form of the Kassika ransomware gang. Notably, researchers at Trend Micro have identified distinctive traits in this group, primarily their adoption of the "Bring Your Own Vulnerable Driver" (BYOVD) tactic. This tactic, also seen in other ransomware gangs like Akira, BlackByte, and AvosLocker, is used by Kassika to exploit weaknesses in drivers and, in particular, the Martini driver, Martini.sys/viragt64.sys, a component of TG Soft's VirIT Agent System. Through this method, Kassika effectively disables security software on the targeted systems. Beyond its innovative tactics, the Kassika ransomware gang draws attention due to its apparent connection with the  BlackMatter ransomware gang. This connection is mainly rooted in the code similarities found in the ransomware encryptor. This linkage raises questions, especially considering that BlackMatter seemingly ceased its activities in 2021, and the source code was never publicly identified as leaked.

Trend Micro's analysis of Kasseika's attack chain discovered it unfolds with a phishing email sent to the targeted organization's employees, aimed at obtaining their account credentials for initial network access. Subsequently, Kasseika operators leverage the Windows PsExec tool to execute malicious .bat files on compromised systems. These files check for the presence of 'Martini.exe,' terminate it to avoid interference and download the 'Martini.sys' driver. This driver is vital for the attack, as Kasseika relies on it to terminate 991 processes, including numerous antivirus and security tools. The ransomware then proceeds to encrypt files using ChaCha20 and RSA encryption algorithms, appending a pseudo-random string to filenames, similar to BlackMatter's tactics.

Kasseika changes the computer’s wallpaper to cover its tracks and clears system event logs post-encryption. Victims are coerced into paying a hefty ransom, which increases with each passing day of delay.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now