KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.
|Enterprise||T1134||Access Token Manipulation||
KillDisk has attempted to get the access token of a process by calling
KillDisk deletes system files to make the OS unbootable. KillDisk also targets and deletes files with 35 different file extensions.
|Enterprise||T1486||Data Encrypted for Impact||
KillDisk has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted.
|Enterprise||T1561||.002||Disk Wipe: Disk Structure Wipe||
KillDisk overwrites the first sector of the Master Boot Record with "0x00".
|Enterprise||T1083||File and Directory Discovery||
KillDisk has used the
|Enterprise||T1070||.001||Indicator Removal: Clear Windows Event Logs||
KillDisk deletes Application, Security, Setup, and System Windows Event Logs.
|.004||Indicator Removal: File Deletion|
|Enterprise||T1036||.004||Masquerading: Masquerade Task or Service||
KillDisk registers as a service under the Plug-And-Play Support name.
KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine.
|Enterprise||T1027||Obfuscated Files or Information||
KillDisk uses VMProtect to make reverse engineering the malware more difficult.
KillDisk terminates various processes to get the user to reboot the victim machine.
|Enterprise||T1082||System Information Discovery||
KillDisk retrieves the hard disk name by calling the
KillDisk attempts to reboot the machine by terminating specific processes.
KillDisk is able to delete system files to make the system unbootable and targets 35 different types of files for deletion. 
|ICS||T0872||Indicator Removal on Host||
KillDisk deletes application, security, setup, and system event logs from Windows systems. 
|ICS||T0829||Loss of View||
KillDisk erases the master boot record (MBR) and system logs, leaving the system unusable. 
KillDisk looks for and terminates two non-standard processes, one of which is an ICS application.