KillDisk

Malware updated 5 months ago (2024-05-04T18:19:21.002Z)
Download STIX
Preview STIX
KillDisk is a potent malware, initially designed to overwrite targeted files instead of encrypting them. First seen in action during December 2016, it disrupted recovery processes by erasing critical system and workstation files. The TeleBots group notably used KillDisk in the final stages of their attacks to overwrite specific file extensions on victims' disks. While its role in causing a power outage remains unconfirmed, iSIGHT Partners are still investigating the extent of its involvement in this significant event. The malware underwent significant evolution over time, with subsequent attacks incorporating elements that mimicked typical ransomware operations. In the second wave of attacks, the orchestrators behind KillDisk added contact information to the malware, thereby making it resemble a standard ransomware attack. This development marked a shift in the malware's function and presentation, indicating an attempt to confuse or mislead victims and investigators. KillDisk has been associated with other major cyber threats, such as BlackEnergy 3 and Sandworm Team. It was deployed on at least one of the Ukrainian power systems affected by BlackEnergy 3, according to iSIGHT sources. Moreover, similarities were noted between the target file extensions list from KillDisk and those used in the December 2016 attacks. The malware was also linked to disruptive activities during the Ukrainian elections in October, further solidifying its reputation as a tool for significant cyber-espionage and sabotage operations.
Description last updated: 2024-05-04T18:04:34.069Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sandworm Threat Actor is associated with KillDisk. Sandworm, also known as APT44, is a Russia-linked threat actor that has been implicated in several major cyberattacks. This group has been particularly active against targets in Ukraine and Poland, with significant operations including the compromise of 11 Ukrainian telecommunications providers, whiUnspecified
2