KillDisk

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

KillDisk is a potent malware, initially designed to overwrite targeted files instead of encrypting them. First seen in action during December 2016, it disrupted recovery processes by erasing critical system and workstation files. The TeleBots group notably used KillDisk in the final stages of their attacks to overwrite specific file extensions on victims' disks. While its role in causing a power outage remains unconfirmed, iSIGHT Partners are still investigating the extent of its involvement in this significant event. The malware underwent significant evolution over time, with subsequent attacks incorporating elements that mimicked typical ransomware operations. In the second wave of attacks, the orchestrators behind KillDisk added contact information to the malware, thereby making it resemble a standard ransomware attack. This development marked a shift in the malware's function and presentation, indicating an attempt to confuse or mislead victims and investigators. KillDisk has been associated with other major cyber threats, such as BlackEnergy 3 and Sandworm Team. It was deployed on at least one of the Ukrainian power systems affected by BlackEnergy 3, according to iSIGHT sources. Moreover, similarities were noted between the target file extensions list from KillDisk and those used in the December 2016 attacks. The malware was also linked to disruptive activities during the Ukrainian elections in October, further solidifying its reputation as a tool for significant cyber-espionage and sabotage operations.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Windows

Bitcoin

Espionage

Ransom

Encryption

Trojan

Linux

Backdoor

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
BlackEnergy	Unspecified	1	BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
petya	Unspecified	1	Petya is a type of malware, specifically ransomware, that infected Windows-based systems primarily through phishing emails. It was notorious for its ability to disrupt operations and hold data hostage for ransom. Petya, along with other types of ransomware like WannaCry, NotPetya, TeslaCrypt, and Da
Clop	Unspecified	1	Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Sandworm	Unspecified	2	Sandworm, a threat actor linked to Russia, has been implicated in numerous high-profile cyber attacks. This group's activities have primarily targeted Ukraine, compromising the country's critical infrastructure and telecommunications providers. The Sandworm group is known for its fileless attack met
Telebots	Unspecified	1	TeleBots, a notorious threat actor group also known as Sandworm, BlackEnergy, Iron Viking, Voodoo Bear, and Seashell Blizzard, has been identified as operating under the control of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). Active since 2000, the group is recognize
Sandworm Team	Unspecified	1	The Sandworm Team, a threat actor associated with Russia's military intelligence-linked group, has demonstrated significant capabilities in developing custom malware to target Operational Technology (OT) and Industrial Control Systems (ICSs). Since at least 2015, the team has used the "BlackEnergy"

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the KillDisk Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	5 months ago	Operational Technology Threats - ReliaQuest
MITRE	a year ago	Sandworm Team and the Ukrainian Power Authority Attacks \| Mandiant
MITRE	a year ago	TeleBots are back: Supply‑chain attacks against Ukraine \| WeLiveSecurity
MITRE	a year ago	BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry \| WeLiveSecurity
MITRE	a year ago	KillDisk Disk-Wiping Malware Adds Ransomware Component
MITRE	a year ago	KillDisk Variant Hits Latin American Financial Groups
MITRE	a year ago	KillDisk Variant Hits Latin American Finance Industry
Trend Micro	a year ago	Vice Society Ransomware Group Targets Manufacturing Companies
CERT-EU	a year ago	APT Profile: Sandworm - SOCRadar® Cyber Intelligence Inc.