Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New KillDisk Variant Hits Latin America

A new version of the destructive KillDisk malware was observed earlier this year targeting organizations in Latin America, Trend Micro reports.

A new version of the destructive KillDisk malware was observed earlier this year targeting organizations in Latin America, Trend Micro reports.

KillDisk has been around for several years, and was used in attacks targeting Ukraine’s energy sector in 2015, orchestrated by the Russia-linked threat actor BlackEnergy.

Initially designed to wipe hard drives and render systems inoperable, the malware received file-encrypting capabilities in late 2016, with a Linux-targeting variant of the ransomware spotted shortly after.

In January, Trend Micro security researchers observed a new variant of the malware in Latin America, and revealed that the threat was once again deleting files and wiping the disk.

One of the attacks, the security firm reveals, was related to a foiled heist on the organization’s system connected to the SWIFT network (Society for Worldwide Interbank Financial Telecommunication).

In May, the security firm observed a master boot record (MBR)-wiping malware in the region, with one of the impacted organizations being a bank “whose systems were rendered inoperable for several days.” The attack, however, was deemed a distraction, as the actor behind it was in fact focused on accessing systems connected to the bank’s local SWIFT network.

The researchers also discovered that the malware used in this attack was a new variant of KillDisk, based on the error message displayed by the affected systems (common to machines infected with MBR-wiping threats).

“The nature of this payload alone makes it difficult to determine if the attack was motivated by an opportunistic cybercriminal campaign or part of a coordinated attack like the previous attacks we observed last January,” Trend Micro says.

The malware used in the May attack was created using Nullsoft Scriptable Install System (NSIS), with the actor purposely naming it “MBR Killer.” Analysis of the sample revealed a routine to wipe the first sector of the machine’s physical disk.

The security researchers also say they haven’t found other new or notable routines in the sample and that no command-and-control (C&C) infrastructure or communication were observed. Furthermore, no ransomware-like routines were found in the malware, nor network-related behavior.

The threat can wipe all of the physical hard disks on the infected system. To wipe the MBR, it retrieves the handle of the hard disk, overwrites the first sector of the disk (512 bytes) with “0x00”, attempts the same routine on all hard disks, then forces the machine to shut down.

“The destructive capabilities of this malware, which can render the affected machine inoperable, underscore the significance of defense in depth: arraying security to cover each layer of the organization’s IT infrastructure, from gateways and endpoints to networks and servers,” Trend Micro notes.

Related: New KillDisk Variant Spotted in Latin America

Related: NotPetya Connected to BlackEnergy/KillDisk: Researchers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.