Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New KillDisk Variant Spotted in Latin America

A new variant of the disk-wiper malware known as KillDisk has been spotted by Trend Micro researchers in attacks aimed at financial organizations in Latin America.

A new variant of the disk-wiper malware known as KillDisk has been spotted by Trend Micro researchers in attacks aimed at financial organizations in Latin America.

The security firm is in the process of examining the new variant and the attacks, but an initial analysis showed that the Trojan appears to be delivered by a different piece of malware or it may be part of a bigger attack.

Early versions of KillDisk were designed to wipe hard drives in an effort to make systems inoperable. The malware was used by the Russia-linked threat actor BlackEnergy in the 2015 attack aimed at Ukraine’s energy sector.

Roughly one year after the Ukraine attack, researchers reported that its developers had turned KillDisk into file-encrypting ransomware. However, the samples analyzed at the time used the same encryption key for all instances, making it possible for victims to recover files.

Experts later reported seeing a KillDisk ransomware designed to target Linux machines, but the malware did not save encryption keys anywhere, making it impossible to recover files.

Some links have also been found between KillDisk and the NotPetya malware, which initially appeared to be a piece of ransomware but later turned out to be a disk wiper. NotPetya hit machines in more than 65 countries and major companies reported losing hundreds of millions of dollars as a result of the attack.

The latest variant, which Trend Micro tracks as TROJ_KILLDISK.IUB, goes back to its roots and focuses on deleting files and wiping the disk. The malware, designed to target Windows systems, goes through all drives in order to delete files, except for system files and folders.

It then proceeds to wipe the disk, which includes reading the master boot record (MBR) and overwriting the extended boot record (EBR). The file removal and disk wiping procedures involve overwriting files and disk sectors in order to make recovery more difficult.

Once files and partitions have been deleted and overwritten, the malware attempts to terminate several processes in an effort to reboot the infected machine. By targeting processes associated with the client/server runtime subsystem (csrss.exe), Windows start-up (wininit.exe), Windows logon (winlogon.exe), and the Local Security Authority Subsystem Service (lsass.exe), the malware can force a blue screen of death (BSOD), a logout, or a restart.

Trend Micro has promised to share more information on the new KillDisk variant as its investigation continues.

Related: Shamoon-Linked “StoneDrill” Malware Allows Spying, Destruction

Related: Meet MBR-ONI, Bootkit Ransomware Used as a Targeted Wiper

Related: Web Hosting Provider Pays $1 Million to Ransomware Attackers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack