KillDisk

KillDisk is a potent malware, initially designed to overwrite targeted files instead of encrypting them. First seen in action during December 2016, it disrupted recovery processes by erasing critical system and workstation files. The TeleBots group notably used KillDisk in the final stages of their attacks to overwrite specific file extensions on victims' disks. While its role in causing a power outage remains unconfirmed, iSIGHT Partners are still investigating the extent of its involvement in this significant event. The malware underwent significant evolution over time, with subsequent attacks incorporating elements that mimicked typical ransomware operations. In the second wave of attacks, the orchestrators behind KillDisk added contact information to the malware, thereby making it resemble a standard ransomware attack. This development marked a shift in the malware's function and presentation, indicating an attempt to confuse or mislead victims and investigators. KillDisk has been associated with other major cyber threats, such as BlackEnergy 3 and Sandworm Team. It was deployed on at least one of the Ukrainian power systems affected by BlackEnergy 3, according to iSIGHT sources. Moreover, similarities were noted between the target file extensions list from KillDisk and those used in the December 2016 attacks. The malware was also linked to disruptive activities during the Ukrainian elections in October, further solidifying its reputation as a tool for significant cyber-espionage and sabotage operations.