This devious malware uses Bond-inspired driver to kill security suites — then proceeds to systematically encrypt your data and drops a $2 million ransom request

And it then proceeds to install ransomware just for good measure

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Experts have identified a newransomwarevariant that uses an outdated, vulnerable driver, to pose as an antivirus program, kill all real security programs on the computer, and then infect the device.

The researchers dubbed the variant Kasseika and believe it to be linked to an oldmalwarevariant that died years ago - BlackMatter.

In a report, cybersecurity experts fromTrend Microclaim the attack campaign starts with a phishing email that aims to steal login credentials. The attackers would then use the access to drop Kasseika, whose first order of business is to kill a process named Martini.exe. The second step is to download the vulnerable driver called Martini.sys.

BlackMatter lives?

BlackMatter lives?

This Martini.sys file is essential to the success of the campaign, they argue, as the malware won’t proceed if the file isn’t found on the compromised endpoint. If the download is successful, Martini.sys is used to disable installed antivirus products. The ransomware comes with a hardcoded list of 991 processes that need to be terminated. Most of them relate to antivirus products, security tools, analysis tools, and system utilities, it was said.

After killing the security programs, Kasseika will run the encryptor. The last step is running a clear.bat script, removing all traces of the attack.

Victims of the ransomware will see a new desktop wallpaper image, notifying them of the attack. They will also be served a ransom note, asking for 50 Bitcoin (roughly $2 million at current prices) within 72 hours in exchange for access to the encrypted devices. Every additional day (up to five days, maximum) will cost $500,000 more.

Trend Micro believes Kasseika is similar to BlackMatter, a ransomware variant that died in 2021. As its source code was never published, the researchers believe that Kasseika was either built by the same people, or someone managed to buy the source code from the dark web.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics