Overview
KillDisk made its entry onto the world stage as a component of the BlackEnergy trojan; most notable for its attacks on the Ukrainian energy sector between 2014 and 2015. What KillDisk lacks in speed it makes up for in effectiveness; earning the reputation as one of the most destructive wipers in existence.
The name KillDisk was established by researchers with ESET but has since become a generic term for any wiper malware that articulates the following processes:
1. The secure deletion of the filesystem
2. The destruction of the partition space containing the master boot record
3. A system reboot rendering the computer unusable.
Recent manifestations of “KillDisk” share very few code similarities with the original BlackEnergy module. This can cause much confusion due to when attempting to develop detection rules or performing research on seemingly related samples. The trailing three letters of the KillDisk signature denote a subfamily. In some cases, there is enough code similarity to associate multiple subfamilies under a singular subfamily group.
The following characteristics vary between samples:
– The amount of time KillDisk will wait before overwriting the filesystem (default being 15 min).
– How much of each file is overwritten.
– Targeted file types.
– Which directories and sub-directories are ignored.
KillDisk (KillDisk.NBB, KillDisk.NBC, KillDisk.NBD)
This subfamily of KillDisk was known for its role in the attacks on the Ukrainian energy sector beginning in 2014, and for the attack on a Ukrainian media organization.
Weaponization of the payloads varies slightly. Most samples delivered contain a Visual Basic script attached as a Macro within Microsoft Office documents such as Word and Excel. If the user has macros enabled, the file script is saved in the Windows TEMP directory and begins downloading the various components needed to install the malware to disk.
In the latter example, KillDisk was placed on a network share and detonated remotely. The attackers used stolen credentials to access the organization’s domain controller server to create a policy that would cause each computer to retrieve and execute the payload upon reboot.
File enumeration
KillDisk’s earliest manifestation contained a hard-coded list of over 4000 file extensions that it targeted in its mission to seek and destroy. Later variants have reduced the range of that scope to a list of 35 file extensions or less. KillDisk searches for these files using a simple process of iterating through file system by making calls to Windows APIs such as FindFirstFile and FindNextFile. To preserve the integrity of the operating system, KillDisk skips directories such as Windows, Program Files, and ProgramData, delaying their destruction until later in the execution process.
Filesystem Destruction
KillDisk is nothing if not thorough. Merely deleting a filesystem will not prevent its recovery from the disk using basic forensic measures. To ensure the full destruction of the host filesystem, KillDisk employs three techniques.
File Deletion
Killdisk implements what is known as secure deletion, ensuring the filesystem is unrecoverable. After overwriting a file with null data, KillDisk uses the DeleteFile API to mark the sectors as unused.
Overwriting the Filesystem
KillDisk overwrites specified file types with either the same byte value or random byte values. In the case of random byte values, KillDisk fills its memory buffer by calling the seed and rand functions. This requires more computational resources, resulting in a slower execution time. It then uses the Win32 API CreateFile function to call the desired file’s temporary reference number and the WriteFile function to overwrite that file with the specified byte values. These same API functions are used later to overwrite the PhysicalDisk0 disk space where the master boot record is stored.
Drive Destruction
Destruction of PhysicalDisk0 begins by accessing the first raw sector of the disk by using the CreateFileA APIl. It then uses the WriteFile API to overwrite each subsequent sector. This is a faster process than overwriting each file because files can be fragmented across the disk, requiring the actuator arm to jump back and forth across the disk to overwrite the file.
KillDisk (Win32/KillDisk.NBO)
In 2017 ESET discovered two instances of a KillDisk variant that had been used in an attack against a Central American online casino. ESET named this version it named Win32/KillDisk.NBO. Although the motive for the attack wasn’t clear, it’s reasonable to assume the wiper was used to destroy evidence of financial crime committed against the casino or to cover the attackers tracks while they attempted to gather information on an associated third party.
It’s important to note that ESET researchers observed that these samples are “nearly identical” to others used in attacks against financial institutions in Latin America.
KillDisk (Win32/KillDisk.NBO, TROJ_KILLDISK.IUE, TROJ_KILLDISK.IBU)
In January 2018, researchers at TrendMicro observed a KillDisk variant being leveraged against several Latin American financial institutions. These samples appear to be identical to those leveraged against the South American online casino, making it likely that the same threat actor is responsible. However, in this attack, the threat actors targeted the network responsible for carrying out SWIFT transactions.
The executable file path hardcoded into the malware (C:\Windows\dimens.exe) is the same as that of the sample analyzed by researchers at ESET. Like its predecessor birthed by BlackEnergy, this wiper makes calls to the Windows API to iterate through and securely delete the filesystem, overwrite the first sector of .\PHYSICALDRIVE0, and force a system reboot once it has completed its destructive lifecycle.
File Deletion
The process of overwriting and deleting files begins by targeting drive B: and continues through each successive drive. In each iteration of KillDisk, the malware maintains the stability of the operating system by ignoring the contents of certain directories and subdirectories. The list of these directories has grown slightly in contrast to other versions.
WINNT
Users
Windows
Program Files
Program Files (x86)
ProgramData
Recovery
$Recycle.Bin
System Volume
Information
old
PerfLogs
There are other departures in the process of this variant that are worth pointing out. The malware renames each file using a random string value before overwriting it. Additionally, there are two noticeable differences that likely help increase performance and decrease the overall execution time. The first is that it only overwrites the first 0x2800 bytes and another block of the same length of each file. The other difference comes by way of the data it uses to overwrite the filesystem.
Disk Destruction
Beginning with \.\PhysicalDrive0, KillDisk will attempt to wipe each available drive in successive order. However, in another departure from previous samples, KillDisk.NBO will only overwrite the first 0x20 sectors of each master boot record it finds on a device. However, it will use the information within the MBR on each non-extended partition to overwrite the first 0x10 and last sectors of each volume. Alternatively, if it discovers an extended drive it will overwrite the entire extended boot record and its two linked partitions.
System Reboot
Before Killdisk.NBO commits to reboot it will try to terminate csrss.exe, wininit.exe, winlogon.exe, and lsass.exe.
Ransomware variants
The first instances of the Windows KillDisk ransomware appeared in 2016. In this campaign, KillDisk was leveraged in destructive attacks against certain Ukrainian banks. It’s plausible that the encrypted files were never meant to be decrypted and that KillDisk was modified to take advantage of the financial nature of the target.
The Windows variant encrypts local hard drives and any folders shared across the network by the affected machine. Using AES symmetric key encryption, each file is encrypted with its own key and is appended with the rather lengthy string “DoN0t0uch7h!$CrYpteDfilE” to prevent it from re-encrypting the file.
In 2016, ESET researchers published a report on a KillDisk Linux ransomware variant they named Linux/KillDisk.A. The routines executed in the Linux version are naturally much different than those used by the Windows versions. The differences in the partitioning tables, partition formats require much different logic to execute the same end goal. For instance, the Linux variant iterates through the following directories including the following 17 subdirectories:
/boot
/bin
/sbin
/lib
/security
/lib64
/security
/usr
/local
/etc
/etc
/mnt
/share
/media
/home
/usr
/tmp
/opt
/var
/root
Further, the Windows variant uses several native APIs to perform the basic functions of malware. These simply don’t exist in the Linux OS. Aside from the ransom note, it’s a bit difficult to ascertain why the name KillDisk is used at all.
The only similarities between the Windows and Linux variants mentioned in the ESET report apply to the encryption process. Linux/KillDisk.A also uses symmetric key encryption and encrypts each file with a unique key. However, the Linux version uses Triple-DES encryption rather than AES.
Interestingly, the encryption keys are not saved locally or sent to a C2 server for later decryption, leaving the impression that the files are never meant to be decrypted to begin with. This would insinuate that Linux/KillDisk.A is executed as an act of cyber-sabotage.
Current Observations
According to the Shadowserver Foundation, KillDisk.NBO and KillDisk.NBD have been seen in the wild as recently as February of 2023. VirusTotal shows samples uploaded as late as April of 2023. However, due to the number of new variants, and its highly customized nature, these generic wipers show no sign of going away.
References
https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/
https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/
https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-ransomware-into-industrial-domain/
DEEP DIVER - Cybersecurity Blog 