{ "id": "6f9def13-05c2-4bce-b8ef-97be9f1020c3", "created_at": "2026-04-06T00:21:19.783156Z", "updated_at": "2026-04-10T03:29:40.12138Z", "deleted_at": null, "sha1_hash": "c25c04b4b91f0b4b010a1c30451bd9ecf702c094", "title": "Kasseika Ransomware Deploys BYOVD Attacks Abuses PsExec and Exploits Martini Driver", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1423487, "plain_text": "Kasseika Ransomware Deploys BYOVD Attacks Abuses PsExec\r\nand Exploits Martini Driver\r\nPublished: 2024-01-23 · Archived: 2026-04-05 13:30:56 UTC\r\nRansomware\r\nIn this blog, we detail our investigation of the Kasseika ransomware and the indicators we found suggesting that\r\nthe actors behind it have acquired access to the source code of the notorious BlackMatter ransomware.  \r\nBy: Christian Jason Geollegue, Julius Keith Estrellado, Christian Alpuerto, Shawn Austin Santos, Rhio Manaog,\r\nGerald Fernandez, Don Ovid Ladores, Raighen Sanchez, Raymart Yambot, Francesca Villasanta, Sophia Nilette\r\nRobles Jan 23, 2024 Read time: 6 min (1702 words)\r\nFollowing an increase in bring-your-own-vulnerable-driver (BYOVD) attacks launched by ransomware groups in\r\n2023, the Kasseika ransomware is among the latest groups to take part in the trend. Kasseika joins Akiranews\r\narticle, BlackBytenews article, and AvosLocker in using the tactic that allows threat actors to terminate antivirus\r\nprocesses and services for the deployment of ransomware. In this case we investigated, the Kasseika ransomware\r\nabused Martini driver to terminate the victim machine’s antivirus-related processes.  \r\nIn our analysis of the Kasseika ransomware attack chain, we observed indicators that resemble the\r\nBlackMatternews article ransomware. These indicators include pseudo-ransom extensions and the use of\r\nextension string.README.txt as the ransom note file name and format.  \r\nA closer look revealed that majority of the source code used by BlackMatter was used in this attack. Based on our\r\nresearch, the BlackMatter source code is not widely available, so its use in this Kasseika ransomware attack is\r\nsuggestive of a mature actor in a limited group that acquired or bought access to it. \r\nBlackMatter respawned from DarkSide, which is known to have been used as the basis for ALPHV, more\r\npopularly known as BlackCatnews article. Since its shutdown in 2021, other ransomware groups have been\r\nobserved using similar techniques and tools to BlackMatter, while a more exclusive group of ransomware\r\noperators are able to access its old code and apply it to new strains.   \r\nhttps://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html\r\nPage 1 of 12\n\nFigure 1. The Kasseika ransomware infection chain\r\nTargeted phishing links via email for initial access \r\nIn the Kasseika ransomware case that we investigated, we observed that it used targeted phishing techniques for\r\ninitial access, as well as to gather credentials from one of the employees of its target company. It then uses remote\r\nadministration tools (RATs) to gain privileged access and move laterally within its target network. \r\nFigure 2. PsExec Command to execute malicious .bat file (click to enlarge)\r\nAbusing PsExec for execution \r\nKasseika abused the legitimate Windows RAT PsExec to execute its malicious files. PsExec was originally\r\ndesigned for network management, but its misuse allows threat actors to remotely deploy a malicious .bat file, as\r\nin this case.  \r\nFigure 3. Kasseika terminates Martini runtime\r\nThe Kasseika ransomware initially uses a batch script to load its malicious entities. The script begins by checking\r\nfor the existence of the process named Martini.exe. If found, it then proceeds to terminate it to ensure that there is\r\nonly one instance of the process running on the machine.  \r\nhttps://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html\r\nPage 2 of 12\n\nKasseika’s KILLAV mechanism for defense evasion \r\nUpon further analysis, Martini.exe first verifies whether the Martini.sys driver was successfully downloaded to the\r\naffected system. The signed driver Martini.sys, originally labeled as viragt64.sys, is part of VirIT Agent System\r\ndeveloped by TG Soft. By exploiting its vulnerabilities, Kasseika leverages this driver to effectively disable\r\nvarious security tools. If Martini.sys does not exist, the malware will terminate itself and not proceed with its\r\nintended routine. \r\nFigure 4. “Martini.sys” file properties and certificate information\r\nAfter confirming the presence of the system file, Kasseika proceeds to create a service and then initiates it. \r\nFigure 5. The service created by PINCAV trojan, a 64-bit Windows PE file written in C++\r\nThe driver Martini.sys is then loaded by Martini.exe using the CreateFileW function. \r\nFigure 6. The “Martini.sys” driver loaded by “Martini.exe”\r\nAfter loading Martini.sys, Martini.exe continuously scans all active processes in the system. Upon detecting a\r\nlisted process, it conveys this information to the driver through the DeviceIoControl function. \r\nhttps://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html\r\nPage 3 of 12\n\nFigure 7. The “DeviceIoControl” function\r\nThe control code 0x82730030 is sent to the driver, instructing it to terminate at least 991 processes within its list,\r\nincluding antivirus products, security tools, analysis tools, and system utility tools. A complete list of the\r\nterminated processes can be found here. \r\nFigure 8. The “Martini.sys” case function\r\nFigure 9. ZwTerminateProcess at “0x82730030” memory address is responsible for process\r\ntermination.\r\nKasseika also makes use of the FindWindowA API to compare strings. \r\nFigure 10. Kasseika comparing application window names for defense evasion (click to enlarge)\r\nhttps://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html\r\nPage 4 of 12\n\nFigure 11. Kasseika comparing strings for defense evasion\r\nThe Kasseika ransomware discovers applications that are related to process monitoring, system monitoring, and\r\nanalysis tools.  \r\nTable 1. A list of process monitoring, system monitoring, and analysis tools that Kasseika looks for\r\nThe Kasseika ransomware levels up its defense evasion techniques by discovering running processes that are\r\nrelated to security and analysis tools. It will terminate itself if these processes are present in the system. \r\nntice.sys CisUtMonitor\r\niceext.sys FileMonitor.sys\r\nSyser.sys REGMON\r\nHanOlly.sys Regsys\r\nextrem.sys Sysregm\r\nFRDTSC.SYS PROCMON\r\nfengyue.sys Revoflt \r\nKernel Detective Filem\r\nTable 2. A list of process names related to security and analysis\r\nFigure 12 shows that the script will remove any directories under the malicious batch script to ensure a clean state.\r\nKasseika will set up the variables to store various paths and executable file names. These variables enable the\r\nscript to be more flexible, allowing easy modification of file paths and names for future use.  \r\nhttps://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html\r\nPage 5 of 12\n\nFigure 12. Initialization of variables\r\nFigure 13. Execution of payloads\r\nKasseika then transfers files from a network share to a local directory. The utilization of the /E switch ensures the\r\ncomprehensive copying of all subdirectories, including empty ones. Following this, Martini.exe is executed to\r\nterminate any processes associated with antivirus vendors. Subsequently, the execution proceeds to launch\r\nsmartscreen_protected.exe, which we identified as the Kasseika ransomware binary. Finally, clear.bat is executed\r\nto erase any traces of the operation on the machine.\r\nFigure 14. The contents of “clear.bat” for final cleanup\r\nKasseika payload analysis \r\nThe Kasseika ransomware is a 32-bit Windows PE file packed by Themida. Themida-packed binaries are known\r\nto have formidable code obfuscation and anti-debugging techniques, making it hard to reverse-engineer them. \r\nhttps://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html\r\nPage 6 of 12\n\nFigure 15. Kasseika ransomware packed with Themida\r\nBefore encryption, Kasseika terminates all processes and services that are currently accessing Windows Restart\r\nManager. Kasseika first starts a new session, modifying the Owner value from the registry keys in the following\r\nlist. It then starts enumerating session hashes (SessionHash) of processes and services from the registry keys in the\r\nsame list. After termination, it retrieves the paths of the terminated files that will be checked later for encryption:  \r\n HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session{numbers}\r\nOwner = {hex values} \r\n \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session{numbers}\r\nSessionHash = {hex values} \r\n \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session{numbers}\r\nSequence = 0x01 \r\n \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session{numbers}\r\nRegFiles{numbers} = {encrypted path and file} \r\n \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session{numbers}\r\nRegFilesHash = {hex values} \r\nThe Kasseika ransomware deletes the shadow copies of the affected system by using Windows Management\r\nInstrumentation command-line (WMIC) queries to enumerate them. \r\nSELECT * Win32_ShadowCopies \r\nThe Kasseika ransomware then decrypts its encrypted extension by first retrieving a hard-coded string from\r\nCryptoPP::StringSinkTemplate. Next, it uses Base64 to encode the first nine characters of the string. Finally, since\r\nhttps://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html\r\nPage 7 of 12\n\nthe characters “+”, “/”, and “=” in Base64 are not compatible in a file extension, the ransomware replaces them\r\nwith “a”, “l”, and “e”, respectively.  \r\nFigure 16. The Kasseika ransomware decrypting its file extension\r\nKasseika retrieves its encryption algorithm key, ChaCha20, together with the RSA encryption algorithm from\r\nopen-source C++ library CryptoPP. Kasseika then generates a modified version of the ChaCha20 matrix that\r\nconsists of randomly generated bytes. The matrix is copied to a buffer that will be encrypted by the RSA public\r\nhttps://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html\r\nPage 8 of 12\n\nkey, after which the encrypted buffer is written into the modified version of the ChaCha20 matrix. The Kasseika\r\nransomware then uses the modified ChaCha20 matrix to encrypt target files.    \r\nFigure 17. The function used by Kasseika to use ChaCha20 algorithm for file encryption\r\nAfter successful encryption, the Kasseika ransomware renames the encrypted files by appending the following\r\nencrypted extension in the encrypted files: \r\n{original filename}.{original extension}. CBhwKBgQD \r\nFigure 18. Sample encrypted files by the Kasseika ransomware\r\nAfterward, Kasseika reuses the encrypted file extension as the name of its ransom note,\r\nCBhwKBgQD.README.txt, which Kasseika will drop in every directory that it will encrypt in the affected\r\nsystem. \r\nhttps://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html\r\nPage 9 of 12\n\nFigure 19. A Kasseika ransom note\r\nAt the end of its encryption routine, the Kasseika ransomware changes the wallpaper of the affected system, as\r\nshown in Figure 20. \r\nFigure 20. Kasseika changes the wallpaper of the infected machine with its ransom note\r\nClearing traces of the attack    As Figure 21 shows, the Kasseika ransomware also has the capability to wipe its\r\ntraces by clearing the system’s event logs through the execution of the commands.  \r\nhttps://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html\r\nPage 10 of 12\n\nFigure 21. The commands that Kasseika uses to clear the event logs\r\nThe command wevutil.exe efficiently clears the Application, Security, and System event logs on the Windows\r\nsystem. This technique is used to operate discreetly, making it more challenging for security tools to identify and\r\nrespond to malicious activities. \r\nSecurity Recommendations \r\nThe following is a list of measures that organizations can employ as best practices to minimize the chances of\r\nfalling victim to ransomware attacks such as those launched by the Kasseika ransomware: \r\nOnly grant employees administrative rights and access when necessary. \r\n \r\nEnsure that security products are updated regularly and perform period scans.  \r\n \r\nSecure regular backups of critical data in case of any loss. \r\n \r\nExercise good email and website safety practices — download attachments, select URLs, and execute\r\nprograms only from trusted sources. \r\n \r\nEncourage users to alert the security team of potentially suspicious emails and files and use tools to block\r\nmalicious emails. \r\n \r\nConduct regular user education around the dangers and signals of social engineering. \r\n A multilayered approach can help organizations guard possible entry points into their system (endpoint, email,\r\nweb, and network). Security solutions can detect malicious components and suspicious behavior, which can help\r\nprotect enterprises.   \r\nTrend Vision Oneone-platform™ provides multilayered protection and behavior detection, which helps block\r\nquestionable behavior and tools before ransomware can do any damage.  \r\nTrend Cloud One™ – Workload Securityproducts protects systems against both known and unknown threats that\r\nexploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine\r\nhttps://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html\r\nPage 11 of 12\n\nlearning.   \r\nTrend Micro™ Deep Discovery™ Email Inspector productsemploys custom sandboxing and advanced analysis\r\ntechniques to effectively block malicious emails, including phishing emails that can serve as entry points for\r\nransomware.   \r\nTrend Micro Apex Oneone-platform™ offers next-level automated threat detection and response against advanced\r\nconcerns such as fileless threats and ransomware, ensuring the protection of endpoints. \r\nIndicators of compromise\r\nThe Kasseika ransomware indicators of compromise can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html\r\nhttps://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html" ], "report_names": [ "kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434879, "ts_updated_at": 1775791780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c25c04b4b91f0b4b010a1c30451bd9ecf702c094.pdf", "text": "https://archive.orkl.eu/c25c04b4b91f0b4b010a1c30451bd9ecf702c094.txt", "img": "https://archive.orkl.eu/c25c04b4b91f0b4b010a1c30451bd9ecf702c094.jpg" } }