Skip to content

S0607 KillDisk

KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.1234

Item Value
ID S0607
Associated Names
Version 1.1
Created 20 January 2021
Last Modified 08 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation KillDisk has attempted to get the access token of a process by calling OpenProcessToken. If KillDisk gets the access token, then it attempt to modify the token privileges with AdjustTokenPrivileges.4
enterprise T1485 Data Destruction KillDisk deletes system files to make the OS unbootable. KillDisk also targets and deletes files with 35 different file extensions.2
enterprise T1486 Data Encrypted for Impact KillDisk has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted.1
enterprise T1561 Disk Wipe -
enterprise T1561.002 Disk Structure Wipe KillDisk overwrites the first sector of the Master Boot Record with “0x00”.3
enterprise T1083 File and Directory Discovery KillDisk has used the FindNextFile command as part of its file deletion process.4
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs KillDisk deletes Application, Security, Setup, and System Windows Event Logs.2
enterprise T1070.004 File Deletion KillDisk has the ability to quit and delete itself.5
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service KillDisk registers as a service under the Plug-And-Play Support name.5
enterprise T1106 Native API KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine.3
enterprise T1027 Obfuscated Files or Information KillDisk uses VMProtect to make reverse engineering the malware more difficult.3
enterprise T1057 Process Discovery KillDisk has called GetCurrentProcess.4
enterprise T1489 Service Stop KillDisk terminates various processes to get the user to reboot the victim machine.4
enterprise T1129 Shared Modules KillDisk loads and executes functions from a DLL.3
enterprise T1082 System Information Discovery KillDisk retrieves the hard disk name by calling the CreateFileA to \.\PHYSICALDRIVE0 API.3
enterprise T1529 System Shutdown/Reboot KillDisk attempts to reboot the machine by terminating specific processes.4
ics T0809 Data Destruction KillDisk is able to delete system files to make the system unbootable and targets 35 different types of files for deletion. 6
ics T0872 Indicator Removal on Host KillDisk deletes application, security, setup, and system event logs from Windows systems. 6
ics T0829 Loss of View KillDisk erases the master boot record (MBR) and system logs, leaving the system unusable. 7
ics T0881 Service Stop KillDisk looks for and terminates two non-standard processes, one of which is an ICS application. 6

Groups That Use This Software

ID Name References
G0034 Sandworm Team 89
G0082 APT38 10