KillDisk

KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.[1][2][3][4]

ID: S0607
Associated Software: Win32/KillDisk.NBI, Win32/KillDisk.NBH, Win32/KillDisk.NBD, Win32/KillDisk.NBC, Win32/KillDisk.NBB
Type: MALWARE
Platforms: Linux, Windows
Version: 1.0
Created: 20 January 2021
Last Modified: 14 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

KillDisk has attempted to get the access token of a process by calling OpenProcessToken. If KillDisk gets the access token, then it attempt to modify the token privileges with AdjustTokenPrivileges.[4]

Enterprise T1485 Data Destruction

KillDisk deletes system files to make the OS unbootable. KillDisk also targets and deletes files with 35 different file extensions.[2]

Enterprise T1486 Data Encrypted for Impact

KillDisk has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted.[1]

Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

KillDisk overwrites the first sector of the Master Boot Record with "0x00".[3]

Enterprise T1083 File and Directory Discovery

KillDisk has used the FindNextFile command as part of its file deletion process.[4]

Enterprise T1070 .001 Indicator Removal on Host: Clear Windows Event Logs

KillDisk deletes Application, Security, Setup, and System Windows Event Logs.[2]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

KillDisk registers as a service under the Plug-And-Play Support name.[5]

Enterprise T1106 Native API

KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine.[3]

Enterprise T1027 Obfuscated Files or Information

KillDisk uses VMProtect to make reverse engineering the malware more difficult.[3]

Enterprise T1057 Process Discovery

KillDisk has called GetCurrentProcess.[4]

Enterprise T1489 Service Stop

KillDisk terminates various processes to get the user to reboot the victim machine.[4]

Enterprise T1129 Shared Modules

KillDisk loads and executes functions from a DLL.[3]

Enterprise T1082 System Information Discovery

KillDisk retrieves the hard disk name by calling the CreateFileA to \.\PHYSICALDRIVE0 API.[3]

Enterprise T1529 System Shutdown/Reboot

KillDisk attempts to reboot the machine by terminating specific processes.[4]

Groups That Use This Software

ID Name References
G0034 Sandworm Team

[6]

G0082 APT38

[7]

References