KillDisk Malware Gets Ransomware Upgrade

KillDisk Malware Shadow Gun

KillDisk is a frightening name among security researchers. This is the malware that was used as a component of Blackenergy 3 to wipe the firmware off of ICS devices at a Ukrainian power plant—effectively destroying that equipment. The malware has been used to attack Western and NATO targets since at least 2014. Frighteningly, the KillDisk malware has just received a ransomware upgrade.

Within the last two months, security researchers have uncovered distinct strains of ransomware, designed to infect both Windows and Linux systems, which bear the unmistakable signature of KillDisk. This malware is robust, well-designed, and levies a steep toll—which means that enterprises and governments are bracing themselves for the first KillDisk ransomware attacks.

KillDisk Malware Was Already Deadly Enough

Leaving aside the path-breaking attacks on Ukraine’s utility grid, hackers have used KillDisk to wreak quite a swathe of damage. For example, during Ukraine’s 2015 elections, a KillDisk variant was used to attack various media companies. In this case, the KillDisk malware was customized to seek out and delete thousands of file types, most of which are used in audio and video production. Media coverage during the election suffered noticeably as a result.

This malware wasn’t just effective at destroying or hindering the operations of its targets—it also proved useful for covering the tracks of the attackers who used it. It featured customizable settings that allowed its users to set off KillDisk like a time bomb, without having to connect to the malware remotely. Lastly, this toolkit is essentially modular, which made it a perfect fit to accept ransomware capabilities.

KillDisk Ransomware: Fundraising or Tradecraft?

The ransomware component of KillDisk is especially well-designed, but many security experts agree that something feels off about it. For example, while the Windows variant of the malware encrypts files strongly, the Linux version is designed in such a way that any files it encrypted would be lost for good—the malware doesn’t store an encryption key alongside the locked data. Second of all, there’s the ransom itself: at 222 Bitcoins, or nearly $250,000, it’s wildly extortionate, especially when the average ransomware demand is still less than $1000.

KillDisk Ransomware SwordsEssentially, there are two possibilities here. The first is that this really is legitimate ransomware. Since the KillDisk authors (a group known as Telebots) have a history of attacking industrial systems, it’s conceivable that they’d target organizations such as factories, chemical plants, electrical grids with this ransomware variant. These utilities usually have lots of capital, and can’t afford to remain shut down—it’s possible that they’d happily pay large sums of money to get their equipment back.


There’s another explanation, however, and it’s kind of frightening. See, the group behind KillDisk is known for mind-blowing attacks, but the KillDisk ransomware definitely isn’t blowing anyone’s mind (especially the wonky Linux version). Another working theory is that KillDisk is using its ransomware component as cover for a subtler intrusion. Companies will see that their files are locked, decide that they can’t afford the ransom, and that write off the data without knowing that it’s been stolen.

Fortunately for enterprises, any flavor of KillDisk malware stops short against the behavioral detection capabilities of SentinelOne. Our algorithm automatically flags and halts activities like the unauthorized creation or deletion of files, and allows administrators to roll back deleterious changes such as file encryption. More than that, we will reimburse companies up to $1 million for any ransomware that gets past our platform. Lastly, our server variant is handy for protecting Linux systems such as the ones under threat by the Linux KillDisk ransomware. For more information, check out our white paper on “Solving the AV Problem,” or contact SentinelOne today.