1. Home
  2. Software
  3. KillDisk

KillDisk

KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.[1][2][3][4]

ID: S0607
Associated Software: Win32/KillDisk.NBI, Win32/KillDisk.NBH, Win32/KillDisk.NBD, Win32/KillDisk.NBC, Win32/KillDisk.NBB
Type: MALWARE
Platforms: Linux, Windows
Version: 1.2
Created: 20 January 2021
Last Modified: 06 October 2023
Version Permalink
Enterprise Layer
download view
ICS Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

KillDisk has attempted to get the access token of a process by calling OpenProcessToken. If KillDisk gets the access token, then it attempt to modify the token privileges with AdjustTokenPrivileges.[4]
Enterprise T1485 Data Destruction

KillDisk deletes system files to make the OS unbootable. KillDisk also targets and deletes files with 35 different file extensions.[2]
Enterprise T1486 Data Encrypted for Impact

KillDisk has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted.[1]
Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

KillDisk overwrites the first sector of the Master Boot Record with "0x00".[3]
Enterprise T1083 File and Directory Discovery

KillDisk has used the FindNextFile command as part of its file deletion process.[4]
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

KillDisk deletes Application, Security, Setup, and System Windows Event Logs.[2]
.004 Indicator Removal: File Deletion

KillDisk has the ability to quit and delete itself.[5]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

KillDisk registers as a service under the Plug-And-Play Support name.[5]
Enterprise T1106 Native API

KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine.[3]
Enterprise T1027 Obfuscated Files or Information

KillDisk uses VMProtect to make reverse engineering the malware more difficult.[3]
Enterprise T1057 Process Discovery

KillDisk has called GetCurrentProcess.[4]
Enterprise T1489 Service Stop

KillDisk terminates various processes to get the user to reboot the victim machine.[4]
Enterprise T1129 Shared Modules

KillDisk loads and executes functions from a DLL.[3]
Enterprise T1082 System Information Discovery

KillDisk retrieves the hard disk name by calling the CreateFileA to \.\PHYSICALDRIVE0 API.[3]
Enterprise T1529 System Shutdown/Reboot

KillDisk attempts to reboot the machine by terminating specific processes.[4]
ICS T0809 Data Destruction

KillDisk is able to delete system files to make the system unbootable and targets 35 different types of files for deletion. [6]
ICS T0872 Indicator Removal on Host

KillDisk deletes application, security, setup, and system event logs from Windows systems. [6]
ICS T0829 Loss of View

KillDisk erases the master boot record (MBR) and system logs, leaving the system unusable. [7]
ICS T0881 Service Stop

KillDisk looks for and terminates two non-standard processes, one of which is an ICS application. [6]

Groups That Use This Software

ID Name References
G0082 APT38

[8]
G0034 Sandworm Team

[9][10][11]

Campaigns

ID Name Description
C0028 2015 Ukraine Electric Power Attack

[7]

References

  1. Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021.
  2. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.
  3. Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.
  4. Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.
  5. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  6. Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29
  1. Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22
  2. Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.
  3. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  4. Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
  5. Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia's Test Lab for Cyberwar. Retrieved September 27, 2023.