This sneaky malware uses a Bond-inspired driver to destroy security suites, then proceeds to systematically encrypt your data and drops a $2 million ransom demand
Experts have identified a new ransomware variant that uses an outdated, vulnerable driver to masquerade as an antivirus program, kill all genuine security programs on the computer and then infect the device.
The researchers named the variant Kasseika and believe it is related to an old malware variant that died years ago: BlackMatter.
Cybersecurity experts write in a report TrendMicro claim that the attack campaign starts with a phishing email that aims to steal login credentials. The attackers would then use the access to drop Kasseika, whose first job is to kill a process called Martini.exe. The second step is to download the vulnerable driver called Martini.sys.
BlackMatter is alive?
This Martini.sys file is essential to the success of the campaign, they claim, because the malware will not progress if the file is not found on the compromised endpoint. If the download is successful, Martini.sys will be used to disable installed antivirus products. The ransomware comes with a hardcoded list of 991 processes that need to be terminated. Most of these concern anti-virus products, security tools, analysis tools and system utilities, it said.
After closing the security programs, Kasseika will run the encryptor. The final step is to run a clear.bat script, which will remove all traces of the attack.
Victims of the ransomware will see a new desktop wallpaper, notifying them of the attack. They will also receive a ransom note, demanding 50 Bitcoin (approximately $2 million at current prices) within 72 hours in exchange for access to the encrypted devices. Each additional day (up to five days) costs $500,000 more.
Trend Micro believes that Kasseika is similar to BlackMatter, a ransomware variant that died in 2021. Since the source code was never published, researchers believe that Kasseika was built by the same people, or that someone managed to purchase the source code from the dark web. .
Through BleepingComputer