A new version of the KillDisk disk-wiping malware has hit companies in the financial sector in Latin America, Trend Micro reported yesterday.

Just like previous versions, KillDisk purposely deleted files but included a ransom note in an attempt to fool victims that they've been infected with ransomware and not a malicious disk wiper known to be used in many past cyber-espionage operations.

KillDisk —from disk wiper to faux ransomware

On the infosec scene, KillDisk is one of the most infamous malware families around. The malware was developed and used primarily by a Russian cyber-espionage group known as Telebots.

This is the same group that created the Sandworm malware that attacked industrial equipment in the US, the BlackEnergy malware that was used in attacks against Ukraine's power grid, and the NotPetya ransomware that hit many companies in June 2017.

KillDisk was initially developed as a disk-wiping malware that was deployed in the later stages of an infection so attackers could use it to hide their tracks by wiping disks and destroying forensic evidence.

This was KillDisk's main purpose when it was used together with the BlackEnergy malware during Telebots' attacks on the Ukrainian power grid in December 2015 and December 2016.

By the end of 2016, KillDisk received a facelift and started posing as ransomware in attacks against Ukrainian banks. A Linux variant was also discovered soon after, also used against the same targets.

New KillDisk attacks

Now, Trend Micro is reporting of new KillDisk attacks. The company says it detected a new version, but the changes are minimal from past attacks.

The ransom note is still there, as well as the disk-wiping functions. The only thing that's changed are the targets, with KillDisk being deployed on the networks of Latin American financial firms, far away from the previous Ukrainian targets where the malware was spotted for the past three years.

For the time being, Trend Micro did not say if these newer attacks were carried out by the TeleBots crew, or by some copycats trying to fool forensics investigators and throw investigators off their trail.

Few changes from previous versions

But just like in previous attacks, researchers also noted that KillDisk was not the primary malware deployed by intruders.

"This KillDisk variant looks like it is intentionally dropped by another process/attacker," researchers said. "Its file path is hardcoded in the malware (c:\windows\dimens.exe), which means that it is tightly coupled with its installer or is a part of a bigger package."

Researchers did not say what was the primary payload just yet. Nonetheless, they went into more details regarding the mode of operation of this particular KillDisk variant.

New KillDisk malware MO

According to researchers, KillDisk —once dropped on a computer— will load itself into memory, delete its files from disk, and rename itself.

It will then overwrite the first 20 sectors of each storage device's Master Boot Record (MBR) with 0x00 bytes.

After that it will rewrite the first 2800 bytes of each file with the same 0x00 bytes on each fixed and removable storage drive. The only files left intact are files and folders found in the following directories, all curcial to OS operations.

Program Files
Program Files (x86)
Recovery (case-sensitive check)
System Volume Information

KillDisk then starts a 15 minutes timer and then kills the following process. Because these are crucial OS processes, the user's machine will either enter a BSOD or will forcibly reboot without the user's option.

Client/server run-time subsystem (csrss.exe)
Windows Start-Up Application (wininit.exe)
Windows Logon Application (winlogon.exe)
Local Security Authority Subsystem Service (lsass.exe)

Once the system restarts, the user won't be able to use his computer unless he repairs the damaged MBR records. When a system administrator investigates, the most common scenarios are that he'll find the ransom note and think the system was hit by ransomware, or he'll install from previous backups, destroying even the last clues of a KillDisk infection.

It's because of this haste to have computers back and running in enterprise networks that disk-wiping malware strains like KillDisk and Shamoo have added ransomware components.

New KillDisk SHA256 hash:


Related Articles:

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

New Reports Show Increased CyberThreats, User Risks Remain High

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment