This devious malware uses Bond-inspired driver to kill security suites — then proceeds to systematically encrypt your data and drops a $2 million ransom request

Ransomware attack on a computer
(Image credit: Kaspersky)

Experts have identified a new ransomware variant that uses an outdated, vulnerable driver, to pose as an antivirus program, kill all real security programs on the computer, and then infect the device.

The researchers dubbed the variant Kasseika and believe it to be linked to an old malware variant that died years ago - BlackMatter.

In a report, cybersecurity experts from Trend Micro claim the attack campaign starts with a phishing email that aims to steal login credentials. The attackers would then use the access to drop Kasseika, whose first order of business is to kill a process named Martini.exe. The second step is to download the vulnerable driver called Martini.sys.

BlackMatter lives?

This Martini.sys file is essential to the success of the campaign, they argue, as the malware won’t proceed if the file isn’t found on the compromised endpoint. If the download is successful, Martini.sys is used to disable installed antivirus products. The ransomware comes with a hardcoded list of 991 processes that need to be terminated. Most of them relate to antivirus products, security tools, analysis tools, and system utilities, it was said. 

After killing the security programs, Kasseika will run the encryptor. The last step is running a clear.bat script, removing all traces of the attack.

Victims of the ransomware will see a new desktop wallpaper image, notifying them of the attack. They will also be served a ransom note, asking for 50 Bitcoin (roughly $2 million at current prices) within 72 hours in exchange for access to the encrypted devices. Every additional day (up to five days, maximum) will cost $500,000 more.

Trend Micro believes Kasseika is similar to BlackMatter, a ransomware variant that died in 2021. As its source code was never published, the researchers believe that Kasseika was either built by the same people, or someone managed to buy the source code from the dark web.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.