⚠️ Overview

Casso is a ransomware variant first documented in July 2023 by the Cyble Research and Intelligence Labs (CRIL). It is attributed to an unknown threat actor and belongs to the Ransomware-as-a-Service (RaaS) category, with a model that incentivizes affiliates via a Telegram-based builder. The malware encrypts files and appends the .casso extension while leaving a ransom note named README.txt.

🔧 Technical Capabilities

Casso propagates primarily through phishing emails containing malicious attachments or links, and also via exploitation of unpatched Remote Desktop Protocol (RDP) services. Its attack vector includes PowerShell-based droppers that execute the payload in memory. The C2 infrastructure relies on HTTP POST requests to hardcoded IP addresses, using JSON-formatted beaconing. Persistence is achieved through registry Run keys and scheduled tasks. Evasion techniques include anti-debugging checks, process hollowing, and obfuscation of the binary using UPX packing. It also terminates processes associated with databases (e.g., SQL Server), email servers, and backup software to prevent file locking.

📜 History & Notable Incidents

First observed in July 2023, Casso was initially used in low-volume campaigns targeting small-to-medium businesses in India and Southeast Asia. No high-profile victims have been publicly named as of early 2024. No CVEs are directly associated with Casso itself; however, the malware exploits known RDP vulnerabilities (e.g., CVE-2019-0708 BlueKeep) when used in initial access. No law enforcement takedowns have been reported.

🔍 Detection Indicators

Known file hashes include SHA256: e7c5f8a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8 (example from Cyble report). Behavioral signatures include file modification patterns with the .casso extension, creation of README.txt containing ransom demands, and network connections to suspicious IPs on port 8080. Registry key HKEY_CURRENT_USERSoftwareCasso is created for persistence. A mutex named "CassoMutex" is used to prevent multiple infections. User-Agent strings observed include "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" spoofed via custom C2 communication.

☠️ Risk & Impact

Casso causes significant data loss by encrypting both local and mapped network drives. Financial losses are primarily from ransom payments (typically 0.1–0.5 BTC) and business disruption. Affected sectors include manufacturing, healthcare, and education in India and Southeast Asia. No data exfiltration has been confirmed in public reports.

🛡️ Mitigation

Recommended defenses include blocking RDP from the internet, enabling multi-factor authentication, and applying patches for known RDP vulnerabilities (CVE-2019-0708). Use endpoint detection rules such as Sigma rule "Casso Ransomware File Modifications" and block the C2 IPs listed on Cyble's IOC feed. Regular offline backups are critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.