BleepingComputer reports that antivirus systems have been targeted for deactivation by the newly emergent Kasseika ransomware operation in new Bring Your Own Vulnerable Driver attacks exploiting the TG Soft VirtIT Agent System's Martini driver.
After successfully exfiltrating targets' account credentials through phishing emails, attackers proceeded to exploit the Windows PsExec tool to facilitate malicious batch file execution that would result in the termination of the "Martini.exe" process and the download of an insecure "Martini.sys" driver, according to a Trend Micro report.
Execution of the process not only disables antivirus processes but also facilitates the distribution of Kasseika ransomware, which was found to have a file encryption approach resembling BlackMatter ransomware, while later removing post-encryption system event logs to further conceal malicious activity.
Researchers also discovered that organizations impacted by Kasseika have been demanded a ransom of 50 Bitcoins or $2 million, with each day of delayed transactions amounting to an additional $500,000.
BYOVD attacks deployed by novel Kasseika ransomware
BleepingComputer reports that antivirus systems have been targeted for deactivation by the newly emergent Kasseika ransomware operation in new Bring Your Own Vulnerable Driver attacks exploiting the TG Soft VirtIT Agent System's Martini driver.
Aside from featuring over 40 million signals from the DNS Research Federation's data platform and the Global Anti-Scam Alliance's comprehensive stakeholder network, the Global Signal Exchange will also contain more than 100,000 bad merchant URLs and one million scam signals from Google.
Such breaches, which were pinned on the dismal security measures of Marriott and subsidiary Starwood Hotels & Resorts, resulted in the exfiltration of individuals' email addresses, birthdates, and other personal details, as well as their passport information, loyalty numbers, and payment card numbers.
Included in the 6.4 GB SQL database were Internet Archive members' email addresses, usernames, Bcrypt-hashed passwords and password change timestamps, as well as other internal details as recent as September 28, when the attack was believed to have taken place.