S0607 KillDisk
KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.1234
| Item | Value |
|---|---|
| ID | S0607 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 20 January 2021 |
| Last Modified | 08 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | KillDisk has attempted to get the access token of a process by calling OpenProcessToken. If KillDisk gets the access token, then it attempt to modify the token privileges with AdjustTokenPrivileges.4 |
| enterprise | T1485 | Data Destruction | KillDisk deletes system files to make the OS unbootable. KillDisk also targets and deletes files with 35 different file extensions.2 |
| enterprise | T1486 | Data Encrypted for Impact | KillDisk has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted.1 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.002 | Disk Structure Wipe | KillDisk overwrites the first sector of the Master Boot Record with “0x00”.3 |
| enterprise | T1083 | File and Directory Discovery | KillDisk has used the FindNextFile command as part of its file deletion process.4 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | KillDisk deletes Application, Security, Setup, and System Windows Event Logs.2 |
| enterprise | T1070.004 | File Deletion | KillDisk has the ability to quit and delete itself.5 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | KillDisk registers as a service under the Plug-And-Play Support name.5 |
| enterprise | T1106 | Native API | KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine.3 |
| enterprise | T1027 | Obfuscated Files or Information | KillDisk uses VMProtect to make reverse engineering the malware more difficult.3 |
| enterprise | T1057 | Process Discovery | KillDisk has called GetCurrentProcess.4 |
| enterprise | T1489 | Service Stop | KillDisk terminates various processes to get the user to reboot the victim machine.4 |
| enterprise | T1129 | Shared Modules | KillDisk loads and executes functions from a DLL.3 |
| enterprise | T1082 | System Information Discovery | KillDisk retrieves the hard disk name by calling the CreateFileA to \.\PHYSICALDRIVE0 API.3 |
| enterprise | T1529 | System Shutdown/Reboot | KillDisk attempts to reboot the machine by terminating specific processes.4 |
| ics | T0809 | Data Destruction | KillDisk is able to delete system files to make the system unbootable and targets 35 different types of files for deletion. 6 |
| ics | T0872 | Indicator Removal on Host | KillDisk deletes application, security, setup, and system event logs from Windows systems. 6 |
| ics | T0829 | Loss of View | KillDisk erases the master boot record (MBR) and system logs, leaving the system unusable. 7 |
| ics | T0881 | Service Stop | KillDisk looks for and terminates two non-standard processes, one of which is an ICS application. 6 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team | 89 |
| G0082 | APT38 | 10 |
References
-
Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021. ↩↩
-
Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016. ↩↩↩
-
Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021. ↩↩↩↩↩↩
-
Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021. ↩↩↩↩↩↩
-
Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. ↩↩
-
Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ↩↩↩
-
Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ↩
-
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. ↩
-
Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. ↩
-
Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018. ↩