KillDisk

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
KillDisk is a potent malware, initially designed to overwrite targeted files instead of encrypting them. First seen in action during December 2016, it disrupted recovery processes by erasing critical system and workstation files. The TeleBots group notably used KillDisk in the final stages of their attacks to overwrite specific file extensions on victims' disks. While its role in causing a power outage remains unconfirmed, iSIGHT Partners are still investigating the extent of its involvement in this significant event. The malware underwent significant evolution over time, with subsequent attacks incorporating elements that mimicked typical ransomware operations. In the second wave of attacks, the orchestrators behind KillDisk added contact information to the malware, thereby making it resemble a standard ransomware attack. This development marked a shift in the malware's function and presentation, indicating an attempt to confuse or mislead victims and investigators. KillDisk has been associated with other major cyber threats, such as BlackEnergy 3 and Sandworm Team. It was deployed on at least one of the Ukrainian power systems affected by BlackEnergy 3, according to iSIGHT sources. Moreover, similarities were noted between the target file extensions list from KillDisk and those used in the December 2016 attacks. The malware was also linked to disruptive activities during the Ukrainian elections in October, further solidifying its reputation as a tool for significant cyber-espionage and sabotage operations.
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SandwormUnspecified
2
Sandworm is a Russia-linked Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The group has been associated with several high-profile attacks, including compromising 11 Ukrainian telecommunications providers and deploying the previously unknown Kapeka backdoor. S
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the KillDisk Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
KillDisk Variant Hits Latin American Financial Groups
MITRE
a year ago
KillDisk Disk-Wiping Malware Adds Ransomware Component
MITRE
a year ago
BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry | WeLiveSecurity
MITRE
a year ago
TeleBots are back: Supply‑chain attacks against Ukraine | WeLiveSecurity
MITRE
a year ago
KillDisk Variant Hits Latin American Finance Industry
MITRE
a year ago
Sandworm Team and the Ukrainian Power Authority Attacks | Mandiant
CERT-EU
a year ago
APT Profile: Sandworm - SOCRadar® Cyber Intelligence Inc.
Trend Micro
a year ago
Vice Society Ransomware Group Targets Manufacturing Companies
CERT-EU
2 months ago
Operational Technology Threats - ReliaQuest