SYMBOLCOMMON_NAMEaka. SYNONYMS
win.killdisk (Back to overview)

KillDisk

Actor(s): Sandworm, TeleBots


KillDisk is a generic detection name used by ESET to refer to destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable. Although all KillDisk malware has similar functionality, as a generic detection, individual samples do not necessarily have strong code similarities or relationships. Such generic malware detections usually have many “sub-families”, distinguished by the detection suffix (e.g. KillDisk.NBO, KillDisk.NCV, and KillDisk.NCX). Sub-family variants that do have strong code similarities, are sometimes seen in separate cyberattacks and thus can help researchers make connections between them.

References
2022-10-24Youtube (Virus Bulletin)Alexander Adamov
@online{adamov:20221024:russian:97d3e2a, author = {Alexander Adamov}, title = {{Russian wipers in the cyberwar against Ukraine}}, date = {2022-10-24}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=mrTdSdMMgnk}, language = {English}, urldate = {2023-03-20} } Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2023-01-19} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-02-24nvisoMichel Coene
@online{coene:20220224:threat:f0dba09, author = {Michel Coene}, title = {{Threat Update – Ukraine & Russia conflict}}, date = {2022-02-24}, organization = {nviso}, url = {https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/}, language = {English}, urldate = {2022-03-01} } Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2017-05-31MITREMITRE ATT&CK
@online{attck:20170531:sandworm:1a9a446, author = {MITRE ATT&CK}, title = {{Sandworm Team}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0034}, language = {English}, urldate = {2022-08-25} } Sandworm Team
CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm
2017-01-05ESET ResearchRobert Lipovsky, Peter Kálnai
@online{lipovsky:20170105:killdisk:5d49eac, author = {Robert Lipovsky and Peter Kálnai}, title = {{KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt}}, date = {2017-01-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt}, language = {English}, urldate = {2022-08-25} } KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt
KillDisk Sandworm
2016-12-13ESET ResearchAnton Cherepanov
@online{cherepanov:20161213:rise:d6ee3c1, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/}, language = {English}, urldate = {2019-12-20} } The rise of TeleBots: Analyzing disruptive KillDisk attacks
Credraptor KillDisk TeleBot
2016-12-13ESET ResearchAnton Cherepanov
@online{cherepanov:20161213:rise:057c5f4, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks}, language = {English}, urldate = {2022-08-25} } The rise of TeleBots: Analyzing disruptive KillDisk attacks
KillDisk TeleBot Sandworm
Yara Rules
[TLP:WHITE] win_killdisk_auto (20230125 | Detects win.killdisk.)
rule win_killdisk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.killdisk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 8945f0 ffd3 3b45f0 }
            // n = 4, score = 100
            //   57                   | push                edi
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   ffd3                 | call                ebx
            //   3b45f0               | cmp                 eax, dword ptr [ebp - 0x10]

        $sequence_1 = { 660fb6f3 5e e8???????? 66ffc6 }
            // n = 4, score = 100
            //   660fb6f3             | movzx               si, bl
            //   5e                   | pop                 esi
            //   e8????????           |                     
            //   66ffc6               | inc                 si

        $sequence_2 = { 8b0c8dc00f4100 83e01f c1e006 f644080401 74cd 8b0408 5d }
            // n = 7, score = 100
            //   8b0c8dc00f4100       | mov                 ecx, dword ptr [ecx*4 + 0x410fc0]
            //   83e01f               | and                 eax, 0x1f
            //   c1e006               | shl                 eax, 6
            //   f644080401           | test                byte ptr [eax + ecx + 4], 1
            //   74cd                 | je                  0xffffffcf
            //   8b0408               | mov                 eax, dword ptr [eax + ecx]
            //   5d                   | pop                 ebp

        $sequence_3 = { 8d642454 e9???????? 880424 8774242c 9c 68a12348dd }
            // n = 6, score = 100
            //   8d642454             | lea                 esp, [esp + 0x54]
            //   e9????????           |                     
            //   880424               | mov                 byte ptr [esp], al
            //   8774242c             | xchg                dword ptr [esp + 0x2c], esi
            //   9c                   | pushfd              
            //   68a12348dd           | push                0xdd4823a1

        $sequence_4 = { 66892c24 9c 8d64244c e9???????? 9c 9c 9c }
            // n = 7, score = 100
            //   66892c24             | mov                 word ptr [esp], bp
            //   9c                   | pushfd              
            //   8d64244c             | lea                 esp, [esp + 0x4c]
            //   e9????????           |                     
            //   9c                   | pushfd              
            //   9c                   | pushfd              
            //   9c                   | pushfd              

        $sequence_5 = { 75f1 8b4500 85c0 7423 }
            // n = 4, score = 100
            //   75f1                 | jne                 0xfffffff3
            //   8b4500               | mov                 eax, dword ptr [ebp]
            //   85c0                 | test                eax, eax
            //   7423                 | je                  0x25

        $sequence_6 = { 89442424 55 d1ee d96c2418 69c098000000 2bf8 }
            // n = 6, score = 100
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   55                   | push                ebp
            //   d1ee                 | shr                 esi, 1
            //   d96c2418             | fldcw               word ptr [esp + 0x18]
            //   69c098000000         | imul                eax, eax, 0x98
            //   2bf8                 | sub                 edi, eax

        $sequence_7 = { 56 894df4 8d4df4 c1e009 51 }
            // n = 5, score = 100
            //   56                   | push                esi
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   c1e009               | shl                 eax, 9
            //   51                   | push                ecx

        $sequence_8 = { 68???????? 51 e8???????? 83c408 85c0 0f8444020000 }
            // n = 6, score = 100
            //   68????????           |                     
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   0f8444020000         | je                  0x24a

        $sequence_9 = { 1bc0 83d8ff 85c0 0f8412010000 8d442444 50 56 }
            // n = 7, score = 100
            //   1bc0                 | sbb                 eax, eax
            //   83d8ff               | sbb                 eax, -1
            //   85c0                 | test                eax, eax
            //   0f8412010000         | je                  0x118
            //   8d442444             | lea                 eax, [esp + 0x44]
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_10 = { 6800020000 8d85e8fdffff 50 57 ff15???????? 85c0 }
            // n = 6, score = 100
            //   6800020000           | push                0x200
            //   8d85e8fdffff         | lea                 eax, [ebp - 0x218]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_11 = { 66894500 ff3424 9c 6689742404 8d642450 e9???????? 89442424 }
            // n = 7, score = 100
            //   66894500             | mov                 word ptr [ebp], ax
            //   ff3424               | push                dword ptr [esp]
            //   9c                   | pushfd              
            //   6689742404           | mov                 word ptr [esp + 4], si
            //   8d642450             | lea                 esp, [esp + 0x50]
            //   e9????????           |                     
            //   89442424             | mov                 dword ptr [esp + 0x24], eax

        $sequence_12 = { 882424 881c24 e8???????? d2cd 80d213 }
            // n = 5, score = 100
            //   882424               | mov                 byte ptr [esp], ah
            //   881c24               | mov                 byte ptr [esp], bl
            //   e8????????           |                     
            //   d2cd                 | ror                 ch, cl
            //   80d213               | adc                 dl, 0x13

        $sequence_13 = { 8d8de4feffff 51 ffd7 85c0 7424 68???????? 8d95e4feffff }
            // n = 7, score = 100
            //   8d8de4feffff         | lea                 ecx, [ebp - 0x11c]
            //   51                   | push                ecx
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   7424                 | je                  0x26
            //   68????????           |                     
            //   8d95e4feffff         | lea                 edx, [ebp - 0x11c]

        $sequence_14 = { 0f89bc010000 60 9c 8f44241c c64424148e c644240426 e8???????? }
            // n = 7, score = 100
            //   0f89bc010000         | jns                 0x1c2
            //   60                   | pushal              
            //   9c                   | pushfd              
            //   8f44241c             | pop                 dword ptr [esp + 0x1c]
            //   c64424148e           | mov                 byte ptr [esp + 0x14], 0x8e
            //   c644240426           | mov                 byte ptr [esp + 4], 0x26
            //   e8????????           |                     

        $sequence_15 = { e8???????? 4e e8???????? 54 c7042400000000 66ffce 6814711853 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4e                   | dec                 esi
            //   e8????????           |                     
            //   54                   | push                esp
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   66ffce               | dec                 si
            //   6814711853           | push                0x53187114

        $sequence_16 = { e8???????? 68e8030000 ffd6 68008fb201 e8???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   68e8030000           | push                0x3e8
            //   ffd6                 | call                esi
            //   68008fb201           | push                0x1b28f00
            //   e8????????           |                     

        $sequence_17 = { 680e040000 8d54246e 53 52 }
            // n = 4, score = 100
            //   680e040000           | push                0x40e
            //   8d54246e             | lea                 edx, [esp + 0x6e]
            //   53                   | push                ebx
            //   52                   | push                edx

        $sequence_18 = { ff15???????? 83c601 3bf7 72d8 8b542418 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   83c601               | add                 esi, 1
            //   3bf7                 | cmp                 esi, edi
            //   72d8                 | jb                  0xffffffda
            //   8b542418             | mov                 edx, dword ptr [esp + 0x18]

        $sequence_19 = { 52 e8???????? 83c41c 83f805 7531 0fb70424 }
            // n = 6, score = 100
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   83f805               | cmp                 eax, 5
            //   7531                 | jne                 0x33
            //   0fb70424             | movzx               eax, word ptr [esp]

        $sequence_20 = { 660fbae408 662dca11 e8???????? 881438 e8???????? }
            // n = 5, score = 100
            //   660fbae408           | bt                  sp, 8
            //   662dca11             | sub                 ax, 0x11ca
            //   e8????????           |                     
            //   881438               | mov                 byte ptr [eax + edi], dl
            //   e8????????           |                     

        $sequence_21 = { 0f84f6010000 8d542444 68???????? 52 }
            // n = 4, score = 100
            //   0f84f6010000         | je                  0x1fc
            //   8d542444             | lea                 edx, [esp + 0x44]
            //   68????????           |                     
            //   52                   | push                edx

        $sequence_22 = { 7425 8bcf 8d7102 668b11 }
            // n = 4, score = 100
            //   7425                 | je                  0x27
            //   8bcf                 | mov                 ecx, edi
            //   8d7102               | lea                 esi, [ecx + 2]
            //   668b11               | mov                 dx, word ptr [ecx]

        $sequence_23 = { 8b442420 57 50 56 e8???????? 57 }
            // n = 6, score = 100
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   57                   | push                edi
            //   50                   | push                eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   57                   | push                edi

    condition:
        7 of them and filesize < 10817536
}
Download all Yara Rules