Dreaded KillDisk Malware now includes Ransomware abilities

December 29, 2016  By Pierluigi Paganini


Researchers at security firm CyberX have recently discovered a variant of the KillDisk malware that also implements ransomware features.

KillDisk is a malware that has been used in attacks against industrial control systems (ICS), it was developed to wipe the hard drives of the infected machine in order to make it inoperable.

The new variant is able to encrypt the file with AES algorithm, the malware uses a unique key for each target and encrypt it with an RSA 1028 algorithm with a key stored in the body of the malware.

The variant of the KillDisk malware is able to encrypt a large number of files from both local partitions and network folders are targeted.

Victims are requested to pay 222 bitcoins ($206,000) to recover their files, a very exorbitant figure that suggests the intention of the author is to attack organizations with deep pockets.

The experts believe the variant has been developed by the TeleBots group, a Russian cybercriminal gang that developed its Telebots malware starting from the BlackEnergy one. The group was recently observed by experts from ESET targeting Ukrainian banks.

“This new variant of KillDisk was developed by the TeleBots gang, a group of Russian cybercriminals believed to have evolved from the Sandworm gang. The Sandworm gang is responsible for a string of attacks in the United States during 2014 that compromised industrial control system (ICS) and SCADA networks using a variant of the BlackEnergy malware” states the report published by the CyberX.

The researchers speculate the malware is being distributed via malicious Office attachments, a close look at the contact email used in the instructions reveals that hackers used the Tor anonymous email service lelantos.org.

The Bitcoin Wallet used by the hackers is still empty and there is no indication of past transactions.

KillDisk Malware

CyberX noticed that the same RSA public key is used for all samples of malware it analyzed, this implies that it could be used to decrypt files for all victims.

According to CyberX, the KillDisk malware first elevate its privileges and then registers itself as a service. The malicious code kills various processes, not critical system ones and processes associated with anti-malware applications, to avoid triggering detection.

Stay Tuned

 

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – TeleBots , KillDisk malware)



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.








  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

The Leet Botnet powered a 650 Gbps DDoS attack before Christmas

 Just before Christmas a massive DDoS attack powered by a new botnet dubbed Leet Botnet hit the network of the firm Imperva. Security...