KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.[1][2][3][4]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | Access Token Manipulation |
KillDisk has attempted to get the access token of a process by calling |
|
Enterprise | T1485 | Data Destruction |
KillDisk deletes system files to make the OS unbootable. KillDisk also targets and deletes files with 35 different file extensions.[2] |
|
Enterprise | T1486 | Data Encrypted for Impact |
KillDisk has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted.[1] |
|
Enterprise | T1561 | .002 | Disk Wipe: Disk Structure Wipe |
KillDisk overwrites the first sector of the Master Boot Record with "0x00".[3] |
Enterprise | T1083 | File and Directory Discovery |
KillDisk has used the |
|
Enterprise | T1070 | .001 | Indicator Removal on Host: Clear Windows Event Logs |
KillDisk deletes Application, Security, Setup, and System Windows Event Logs.[2] |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
KillDisk registers as a service under the Plug-And-Play Support name.[5] |
Enterprise | T1106 | Native API |
KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine.[3] |
|
Enterprise | T1027 | Obfuscated Files or Information |
KillDisk uses VMProtect to make reverse engineering the malware more difficult.[3] |
|
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1489 | Service Stop |
KillDisk terminates various processes to get the user to reboot the victim machine.[4] |
|
Enterprise | T1129 | Shared Modules | ||
Enterprise | T1082 | System Information Discovery |
KillDisk retrieves the hard disk name by calling the |
|
Enterprise | T1529 | System Shutdown/Reboot |
KillDisk attempts to reboot the machine by terminating specific processes.[4] |
ID | Name | References |
---|---|---|
G0034 | Sandworm Team | |
G0082 | APT38 |