SYMBOLCOMMON_NAMEaka. SYNONYMS
win.killdisk (Back to overview)

KillDisk

Actor(s): Sandworm, TeleBots

VTCollection    

KillDisk is a generic detection name used by ESET to refer to destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable. Although all KillDisk malware has similar functionality, as a generic detection, individual samples do not necessarily have strong code similarities or relationships. Such generic malware detections usually have many “sub-families”, distinguished by the detection suffix (e.g. KillDisk.NBO, KillDisk.NCV, and KillDisk.NCX). Sub-family variants that do have strong code similarities, are sometimes seen in separate cyberattacks and thus can help researchers make connections between them.

References
2025-01-15CTFIOTCTFIOT
Article 113: One of the Russian-Ukrainian cyberwars, a review of the first major blackout in Ukraine caused by the Sandworm APT organization
KillDisk
2022-10-24Youtube (Virus Bulletin)Alexander Adamov
Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-02-24nvisoMichel Coene
Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2020-01-01SecureworksSecureWorks
IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2017-05-31MITREMITRE ATT&CK
Sandworm Team
CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm
2017-01-05ESET ResearchPeter Kálnai, Robert Lipovsky
KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt
KillDisk Sandworm
2016-12-13ESET ResearchAnton Cherepanov
The rise of TeleBots: Analyzing disruptive KillDisk attacks
Credraptor KillDisk TeleBot
2016-12-13ESET ResearchAnton Cherepanov
The rise of TeleBots: Analyzing disruptive KillDisk attacks
KillDisk TeleBot Sandworm
Yara Rules
[TLP:WHITE] win_killdisk_auto (20260504 | Detects win.killdisk.)
rule win_killdisk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.killdisk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 883424 ff742420 8f4500 9c 51 }
            // n = 6, score = 100
            //   e9????????           |                     
            //   883424               | mov                 byte ptr [esp], dh
            //   ff742420             | push                dword ptr [esp + 0x20]
            //   8f4500               | pop                 dword ptr [ebp]
            //   9c                   | pushfd              
            //   51                   | push                ecx

        $sequence_1 = { 57 8dbc2444030000 2bc1 8bf1 }
            // n = 4, score = 100
            //   57                   | push                edi
            //   8dbc2444030000       | lea                 edi, [esp + 0x344]
            //   2bc1                 | sub                 eax, ecx
            //   8bf1                 | mov                 esi, ecx

        $sequence_2 = { d1924dbeb698 760a d035???????? d6 d487 ce }
            // n = 6, score = 100
            //   d1924dbeb698         | rcl                 dword ptr [edx - 0x674941b3], 1
            //   760a                 | jbe                 0xc
            //   d035????????         |                     
            //   d6                   | salc                
            //   d487                 | aam                 0x87
            //   ce                   | into                

        $sequence_3 = { 8b4c2424 2bc8 894c244c 8b4c2430 2bc8 89542414 }
            // n = 6, score = 100
            //   8b4c2424             | mov                 ecx, dword ptr [esp + 0x24]
            //   2bc8                 | sub                 ecx, eax
            //   894c244c             | mov                 dword ptr [esp + 0x4c], ecx
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   2bc8                 | sub                 ecx, eax
            //   89542414             | mov                 dword ptr [esp + 0x14], edx

        $sequence_4 = { 8f44241c c64424148e c644240426 e8???????? 4e e8???????? 54 }
            // n = 7, score = 100
            //   8f44241c             | pop                 dword ptr [esp + 0x1c]
            //   c64424148e           | mov                 byte ptr [esp + 0x14], 0x8e
            //   c644240426           | mov                 byte ptr [esp + 4], 0x26
            //   e8????????           |                     
            //   4e                   | dec                 esi
            //   e8????????           |                     
            //   54                   | push                esp

        $sequence_5 = { 7415 b907010000 8d7c2468 f3a5 8b431c }
            // n = 5, score = 100
            //   7415                 | je                  0x17
            //   b907010000           | mov                 ecx, 0x107
            //   8d7c2468             | lea                 edi, [esp + 0x68]
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8b431c               | mov                 eax, dword ptr [ebx + 0x1c]

        $sequence_6 = { 88742408 c70424ba7bbfa4 660fbae408 662dca11 e8???????? 881438 }
            // n = 6, score = 100
            //   88742408             | mov                 byte ptr [esp + 8], dh
            //   c70424ba7bbfa4       | mov                 dword ptr [esp], 0xa4bf7bba
            //   660fbae408           | bt                  sp, 8
            //   662dca11             | sub                 ax, 0x11ca
            //   e8????????           |                     
            //   881438               | mov                 byte ptr [eax + edi], dl

        $sequence_7 = { e8???????? 83c40c 6802040000 8d942484020000 6a00 52 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6802040000           | push                0x402
            //   8d942484020000       | lea                 edx, [esp + 0x284]
            //   6a00                 | push                0
            //   52                   | push                edx

        $sequence_8 = { 50 51 e8???????? 4e 80fcd7 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     
            //   4e                   | dec                 esi
            //   80fcd7               | cmp                 ah, 0xd7

        $sequence_9 = { 28d8 882424 e9???????? 66894500 66897c240c 882c24 }
            // n = 6, score = 100
            //   28d8                 | sub                 al, bl
            //   882424               | mov                 byte ptr [esp], ah
            //   e9????????           |                     
            //   66894500             | mov                 word ptr [ebp], ax
            //   66897c240c           | mov                 word ptr [esp + 0xc], di
            //   882c24               | mov                 byte ptr [esp], ch

        $sequence_10 = { 9c 6689742404 8d642450 e9???????? 89442424 }
            // n = 5, score = 100
            //   9c                   | pushfd              
            //   6689742404           | mov                 word ptr [esp + 4], si
            //   8d642450             | lea                 esp, [esp + 0x50]
            //   e9????????           |                     
            //   89442424             | mov                 dword ptr [esp + 0x24], eax

        $sequence_11 = { 7407 56 ff15???????? 56 ff15???????? 85c0 }
            // n = 6, score = 100
            //   7407                 | je                  9
            //   56                   | push                esi
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_12 = { 8d4c2404 51 b9???????? e8???????? 8bf0 e8???????? }
            // n = 6, score = 100
            //   8d4c2404             | lea                 ecx, [esp + 4]
            //   51                   | push                ecx
            //   b9????????           |                     
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     

        $sequence_13 = { 0f8402020000 8b442418 85c0 0f84f6010000 }
            // n = 4, score = 100
            //   0f8402020000         | je                  0x208
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   85c0                 | test                eax, eax
            //   0f84f6010000         | je                  0x1fc

        $sequence_14 = { 8b1495a098c201 8d440224 802080 884dfd 8065fd48 }
            // n = 5, score = 100
            //   8b1495a098c201       | mov                 edx, dword ptr [edx*4 + 0x1c298a0]
            //   8d440224             | lea                 eax, [edx + eax + 0x24]
            //   802080               | and                 byte ptr [eax], 0x80
            //   884dfd               | mov                 byte ptr [ebp - 3], cl
            //   8065fd48             | and                 byte ptr [ebp - 3], 0x48

        $sequence_15 = { e9???????? 9c 9c 66894504 57 60 }
            // n = 6, score = 100
            //   e9????????           |                     
            //   9c                   | pushfd              
            //   9c                   | pushfd              
            //   66894504             | mov                 word ptr [ebp + 4], ax
            //   57                   | push                edi
            //   60                   | pushal              

    condition:
        7 of them and filesize < 10817536
}
Download all Yara Rules