KillDisk

Malware updated 5 months ago (2024-05-04T18:19:21.002Z)

Download STIX

Preview STIX

KillDisk is a potent malware, initially designed to overwrite targeted files instead of encrypting them. First seen in action during December 2016, it disrupted recovery processes by erasing critical system and workstation files. The TeleBots group notably used KillDisk in the final stages of their attacks to overwrite specific file extensions on victims' disks. While its role in causing a power outage remains unconfirmed, iSIGHT Partners are still investigating the extent of its involvement in this significant event. The malware underwent significant evolution over time, with subsequent attacks incorporating elements that mimicked typical ransomware operations. In the second wave of attacks, the orchestrators behind KillDisk added contact information to the malware, thereby making it resemble a standard ransomware attack. This development marked a shift in the malware's function and presentation, indicating an attempt to confuse or mislead victims and investigators. KillDisk has been associated with other major cyber threats, such as BlackEnergy 3 and Sandworm Team. It was deployed on at least one of the Ukrainian power systems affected by BlackEnergy 3, according to iSIGHT sources. Moreover, similarities were noted between the target file extensions list from KillDisk and those used in the December 2016 attacks. The malware was also linked to disruptive activities during the Ukrainian elections in October, further solidifying its reputation as a tool for significant cyber-espionage and sabotage operations.

Description last updated: 2024-05-04T18:04:34.069Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Sandworm Threat Actor is associated with KillDisk. Sandworm, also known as APT44, is a Russia-linked threat actor that has been implicated in several major cyberattacks. This group has been particularly active against targets in Ukraine and Poland, with significant operations including the compromise of 11 Ukrainian telecommunications providers, whi	Unspecified	2

Source Document References

Information about the KillDisk Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	7 months ago	Operational Technology Threats - ReliaQuest
MITRE	2 years ago	Sandworm Team and the Ukrainian Power Authority Attacks \| Mandiant
MITRE	2 years ago	TeleBots are back: Supply‑chain attacks against Ukraine \| WeLiveSecurity
MITRE	2 years ago	BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry \| WeLiveSecurity
MITRE	2 years ago	KillDisk Disk-Wiping Malware Adds Ransomware Component
MITRE	2 years ago	KillDisk Variant Hits Latin American Financial Groups
MITRE	2 years ago	KillDisk Variant Hits Latin American Finance Industry
Trend Micro	2 years ago	Vice Society Ransomware Group Targets Manufacturing Companies
CERT-EU	2 years ago	APT Profile: Sandworm - SOCRadar® Cyber Intelligence Inc.