Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Destructive KillDisk Malware Turns Into Ransomware

A recently discovered variant of the KillDisk malware encrypts files and holds them for ransom instead of deleting them. Since KillDisk has been used in attacks aimed at industrial control systems (ICS), experts are concerned that threat actors may be bringing ransomware into the industrial domain.

A recently discovered variant of the KillDisk malware encrypts files and holds them for ransom instead of deleting them. Since KillDisk has been used in attacks aimed at industrial control systems (ICS), experts are concerned that threat actors may be bringing ransomware into the industrial domain.

Previous versions of KillDisk wiped hard drives in an effort to make systems inoperable, but a new variant observed by industrial cyber security firm CyberX encrypts files using a combination of RSA and AES algorithms. Specifically, each file is encrypted with an individual AES key and these keys are encrypted using an RSA 1028 key stored in the body of the malware.

CyberX VP of research David Atch told SecurityWeek that the KillDisk variant they have analyzed is a well-written piece of ransomware. The code is similar to earlier samples and its functionality is nearly the same.

The ransomware is designed to encrypt various types of files, including documents, databases, source code, disk images, emails and media files. Both local partitions and network folders are targeted.

Victims are instructed to pay 222 bitcoins ($210,000) to recover their files, which experts believe suggests that the attackers are targeting “organizations with deep pockets.” The contact email address provided to affected users is associated with Lelantos, a privacy-focused email provider only accessible through the Tor network. The Bitcoin address to which victims are told to send the ransom has so far not made any transactions.

KillDisk ransomware

Atch pointed out that the same RSA public key is used for all samples, which means that a user who receives a decryptor will likely be able to decrypt files for all victims.

According to CyberX, the malware requires elevated privileges and registers itself as a service. The threat terminates various processes, but it avoids critical system processes and ones associated with anti-malware applications, likely to avoid disrupting the system and triggering detection by security products.

“Important thing to notice about the malware, the author/s are familiar with the crypto API, they are using some of it’s functions to generate truly random numbers,” Atch explained. “But they decided to avoid using the function CryptDecrypt, probably because this function can be easily hooked. Hooking the function may provide an Anti-Malware software an easy way of dealing with unwanted file encryption, the hooking will provide an ability to restore the keys.”

KillDisk evolution to ransomware

Earlier this month, security firm ESET published a report detailing attacks conducted by a threat group dubbed TeleBots. Researchers believe TeleBots is an evolution of the Russia-linked BlackEnergy (Sandworm) group, which is said to be responsible for several attacks on ICS/SCADA systems, including the December 2015 operation aimed at Ukraine’s energy sector.

One of the tools used by the BlackEnergy actor is KillDisk, a piece of malware originally designed to delete files and make systems inoperable. In the attacks that caused power outages in Ukraine, KillDisk was used to make it more difficult for affected power companies to restore service.

In recent cyber-sabotage campaigns launched against high-value targets in Ukraine’s financial sector, TeleBots used various tools, including a new version of KillDisk. This malware, used in the final stages of the attack, was executed with high privileges on servers and workstations after attackers likely obtained administrator credentials in the previous stages of the operation.

In these attacks, KillDisk was configured to activate at a predefined date and time. In addition to deleting important system files, it was set up to overwrite files with certain extensions – largely the same types that the ransomware variant encrypts.

CyberX believes threat actors turned KillDisk into a piece of ransomware because, unlike cyber-sabotage, the new functionality enables them to directly monetize their attacks.

Experts pointed out that industrial organizations can be an ideal target for ransomware for several reasons, including the fact that cyber-disruptions can result in physical safety risks and production outages, network operations typically cannot be easily shut down, data backup processes may not cover all the required data, and the employees of industrial organizations might be less aware of cyber threats.

“Enterprises are more likely to quietly pay the ransom because of concerns that going public with cyberattacks will invite greater scrutiny from regulators, and possibly fines (environmental, safety, etc.),” said Phil Neray, VP of industrial cybersecurity at CyberX.

Related: Ukraine Power Outage Possibly Caused by Cyberattack

Related: BlackEnergy, KillDisk Infect Ukrainian Mining, Railway Systems

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...