How Pseudo-ransomware KillDisk Creates a Smoke Screen for Cybercriminals

By on

We all remember Petya/NotPetya. How could you forget? The nasty malware took cues from WannaCry, leveraging the same SMB vulnerability. But instead of locking away files, Petya/NotPetya was a wiper – simply cleaning devices of their data. Petya was not the first wiper we’ve seen, and it’s certainly not the last. In fact, a classic disk wiper is currently re-emerging in Latin America, called KillDisk, and is targeting financial firms. Once dropped on a computer, it will load itself into memory, delete its files from disk, and rename itself.

KillDisk is actually one of the most infamous malware families around. It has historically masked itself as ransomware, but is rather a very destructive wiper. Cybercriminals typically deploy it in the later stages of an infection so they can use it to hide their tracks by wiping disks and destroying forensic evidence. That’s precisely why it was paired together with the BlackEnergy malware during Telebots’ attacks on the Ukrainian power grid – so the cybercriminals could conduct their scheme with stealth.

As Christiaan Beek, lead scientist and principal engineer at McAfee claims – that’s a wiper’s bread and butter. He says, “In the past we have seen wipers being used targeting the Energy sector in the Ukraine, Oil & Gas industry in the Middle-East, Media-company and against targets in South Korea. All of these were related to regional or political conflicts.”

Destruction is clearly the end goal, but stealth is the way of getting there. Beek continues, “In 2017, we introduced the term pseudo-ransomware where destructive attacks disguised as ransomware either took down companies in a nation or were used to keep the IT-department busy while money was being transferred at the same time. Now with KillDisk, it seems that criminals do not hesitate to use it during their campaigns. Since the initial infection vector is unknown and we are lacking further samples or details, we can only speculate why they are using this.”

That’s the ultimate question – why? Is KillDisk part of a larger attack, intended to help cybercriminals avoid detection? Or are crooks extorting these financial institutions for monetary gain? As of now, we’re unsure of the motive. But we do know that as this threat continues to evolve and creates a convincing smoke screen, we all must be as vigilant as ever.

To learn more about our fight against ransomware, check out the alliance No More Ransom. And be sure to follow us at @McAfee and @McAfee_Labs.

Leave a Comment

Similar articles

The summer season is quickly approaching. Users will take to the skies, roads, and oceans to travel throughout the world for a fun family adventure. But just because users take time off doesn’t mean that their security should. So, with the season’s arrival, we decided to conduct a survey so to better understand users’ cybersecurity ...
Read Blog
Messaging apps are a common form of digital communication these days, with Facebook’s WhatsApp being one of the most popular options out there. The communication platform boasts over 1.5 billion users – who now need to immediately update the app due to a new security threat. In fact, WhatsApp just announced a recently discovered security ...
Read Blog