Specifically, it is the Kasseika ransomware. It is a threat capable of taking advantage of the antivirus drivers and eliminating it. This way, you can have free rein to act without being detected. This type of threat is also one of the most dangerous, since it encrypts the files and asks for a ransom to release them.
Kasseika ransomware uses antivirus drivers
It is one more threat, a type of ransomware that, like many others, seeks to make you lose control over your files. However, this time it uses a different technique than usual: taking advantage of the antivirus driver. Exactly, it takes advantage of the driver Martini.sys/viragt64.syswhich is part of the VirtIT Agent antivirus, from TG Soft.
Once this driver is exploited, it manages to deactivate the security program. It simply stops working, so it will not detect the threat. According to the security researchers behind this discovery, the Kasseika ransomware It has many similarities with BlackMatter, so it may be the same ones who developed it.
But how exactly do they infect with this threat? The first thing they do is send a Phishing email. A classic. They need to get access credentials. From there, they will exploit the Windows tool PsExec to execute malicious .bat files. That's when it checks to see if the Martini.exe process exists and closes it. If you don't find it, don't continue.
What you are looking for with this is to end the antivirus process. From there, it launches the ransomware and uses the ChaCha20 and RSA algorithms to encrypt the files. As usual, they ask for a ransom to release those encrypted files. In this case, they request a fairly high payment in bitcoins.
How to protect yourself
What can you do to protect yourself? Without a doubt, the best is the common sense. As you have seen, they are going to start everything through an email that, in reality, is a Phishing attack. Never share data through email, social networks or SMS that may reach you and you don't really know who is behind it. Never log in through links you receive. You can always know if an SMS is a fraud or an email is Phishing.
Furthermore, it is advisable to have the system perfectly updated. In many cases, cybercriminals will exploit vulnerabilities they find. Therefore, having the latest versions will allow you to be more protected, allowing you to avoid many problems that put your privacy and security at risk.
On the other hand, it is also essential to have a good antivirus. Although in this case they manage to exploit the security program drivers, having good software will help you detect many threats. Always check which one you have installed and make sure it works correctly.
In short, Kasseika is a dangerous ransomware that can exploit the drivers of some antiviruses to prevent them from working and have a free hand. It is key that you protect your devices well and do not have problems of this type.