It has been found recently that a new variant of KillDisk malware contains the component of ransomware in it, which encrypts the files and data and use them for ransom rather than deleting them. As industrial control systems (ICS) is being aimed in this attack using KillDisk Malware, authorities are apprehensive about the malicious actor of bringing ransomware into all industrial domain.
Read More: What is Ransomware
How KillDisk functions?
The old version of the KillDisk used to completely and securely wipe data from hard disks but a new variant of it was discovered by a CyberSecurity firm, CyberX, which encrypts files and data available in the drive using RSA and AES algorithms. Here, every encrypted file has an individual AES key and encryption of these keys are done using an RSA 1028 key which is hidden in the body of the malware.
What does CyberX have to say about the Ransomware?
A team led by David Atch, CyberX VP of research, told to media that the variant they have analyzed by reverse-engineering is a cleverly written ransomware, where the code is similar to its previous versions and the functionality is more or less the same.
The ransomware is said to target both, the files available on hard disk as well as any other network mapped folders that are shared, leading to a risk of spreading it into an entire organization.
Threat actor demanded 222 Bitcoin amounting to ~$200,000 to recover these files. Experts have suggested that the threat actor intends to attack “organizations with deep pockets”. The email address provided by the attacker is associated with Lelantos.org, a secure and anonymous email service provider. Also, the Bitcoin address shared by him for ransom has never made any transaction.
Mr. Atch also stated that since the same RSA 1028 key is used for all samples, it is possible to decrypt data of all victims using the same key.
Atch explained, “Important thing to notice about the malware, the author/s are familiar with the crypto API, they are using some of it’s functions to generate truly random numbers. But they decided to avoid using the function CryptDecrypt, probably because this function can be easily hooked. Hooking the function may provide an Anti-Malware software an easy way of dealing with unwanted file encryption, the hooking will provide an ability to restore the keys.”.
How KillDisk Rise as a ransomware?
According to a recently published report by ESET which framed some attacks conducted by a group called TeleBots, researchers believe that this is a regeneration group of BlackEnergy (Sandworm) group responsible for several attacks on ICS/SCADA systems including attacks on Ukraine’s energy sector.
In following past incapacitation attacks by TeleBots against Ukraine’s financial sector used many tools including KillDisk. This is the tool use in the final stage of attack when the malicious actors gained the administrator credentials and company authorities try to format the data using KillDisk. And in these attacks, KillDisk is designed to get activated at a particular time. Besides deleting the system files it overwrites files with certain extension.
CyberX thinks that the reason behind attackers into turning KillDisk to ransomware is that with this new technique of broaching makes it easy to directly monetize their attacks.
Most of the researchers say that these organizations are the favourite aims of these groups for ransomware, considering the part that a cyber disturbance can also lead to a physical safety risk and confidential data exposure to rivalries since the network operations of any organization cannot be easily shut down or data backup may not cover all required data. The biggest problem is that the employees are not aware of the cyber threat they are in.
“Enterprises are more likely to quietly pay the ransom because of concerns that going public with cyberattacks will invite greater scrutiny from regulators, and possibly fines (environmental, safety, etc.),” said Phil Neray, VP of industrial cybersecurity at CyberX.