1. Home
  2. Software
  3. KillDisk

KillDisk

KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.[1][2][3][4]

ID: S0607
Associated Software: Win32/KillDisk.NBI, Win32/KillDisk.NBH, Win32/KillDisk.NBD, Win32/KillDisk.NBC, Win32/KillDisk.NBB
Type: MALWARE
Platforms: Linux, Windows
Version: 1.2
Created: 20 January 2021
Last Modified: 06 October 2023
Enterprise Layer
download view
ICS Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .004 伪装: Masquerade Task or Service

KillDisk registers as a service under the Plug-And-Play Support name.[5]
Enterprise T1129 共享模块

KillDisk loads and executes functions from a DLL.[3]
Enterprise T1486 数据加密以实现影响

KillDisk has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted.[1]
Enterprise T1485 数据销毁

KillDisk deletes system files to make the OS unbootable. KillDisk also targets and deletes files with 35 different file extensions.[2]
Enterprise T1083 文件和目录发现

KillDisk has used the FindNextFile command as part of its file deletion process.[4]
Enterprise T1489 服务停止

KillDisk terminates various processes to get the user to reboot the victim machine.[4]
Enterprise T1106 本机API

KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine.[3]
Enterprise T1027 混淆文件或信息

KillDisk uses VMProtect to make reverse engineering the malware more difficult.[3]
Enterprise T1561 .002 磁盘擦除: Disk Structure Wipe

KillDisk overwrites the first sector of the Master Boot Record with "0x00".[3]
Enterprise T1070 .001 移除指标: Clear Windows Event Logs

KillDisk deletes Application, Security, Setup, and System Windows Event Logs.[2]
.004 移除指标: File Deletion

KillDisk has the ability to quit and delete itself.[5]
Enterprise T1082 系统信息发现

KillDisk retrieves the hard disk name by calling the CreateFileA to \.\PHYSICALDRIVE0 API.[3]
Enterprise T1529 系统关机/重启

KillDisk attempts to reboot the machine by terminating specific processes.[4]
Enterprise T1134 访问令牌操控

KillDisk has attempted to get the access token of a process by calling OpenProcessToken. If KillDisk gets the access token, then it attempt to modify the token privileges with AdjustTokenPrivileges.[4]
Enterprise T1057 进程发现

KillDisk has called GetCurrentProcess.[4]
ICS T0809 Data Destruction

KillDisk is able to delete system files to make the system unbootable and targets 35 different types of files for deletion. [6]
ICS T0872 Indicator Removal on Host

KillDisk deletes application, security, setup, and system event logs from Windows systems. [6]
ICS T0829 Loss of View

KillDisk erases the master boot record (MBR) and system logs, leaving the system unusable. [7]
ICS T0881 Service Stop

KillDisk looks for and terminates two non-standard processes, one of which is an ICS application. [6]

Groups That Use This Software

ID Name References
G0082 APT38

[8]
G0034 Sandworm Team

[9][10][11]

Campaigns

ID Name Description
C0028 2015 Ukraine Electric Power Attack

[7]

References

  1. Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021.
  2. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.
  3. Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.
  4. Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.
  5. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  6. Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29
  1. Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.
  2. Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.
  3. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  4. Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
  5. Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia's Test Lab for Cyberwar. Retrieved September 27, 2023.