The KillDisk malware family, used to sabotage computers by deleting and rewriting files, has just included a brand new ransomware component. Thanks to it, the malware encrypts files and demands a huge ransom.
By this moment, the KillDisk family has been only associated with cyber-espionage and cyber-sabotage operations, carried out in the industrial sector mostly.
The cyber gang who created the infection is known under the two names: Sandworm or TeleBots, famous for its work on the Sandworm malware. Later, the Sandworm group is believed to be evolved into the TeleBots gang, which developed the TeleBots backdoor trojan, as well as the KillDisk disk-wiping malware.
Over the past couple of years, KillDisk has gained some notoriety because it was used in 2015 and 2016. At that time, another gang – the BlackEnergy cyber-espionage group used the malware to attack and sabotage Ukrainian companies activating in the energy, mining, and media sectors.
Presently, the connection between the BlackEnergy and the TeleBots/Sandworm gang is unknown.
What is certain, though, is the fact that the TeleBots gang has been involved in cyber-sabotage operations which have crippled the activities of several businesses worldwide. Their latest attacks were against Ukrainian banks. The attacks infected bank workers with the TeleBots backdoor trojan via malicious email attachments.
The most interesting thing about TeleBots malware is that it uses the Telegram protocol to communicate with its operators.
The TeleBots gang collects data from infected systems, such as passwords and important files, and deploys the KillDisk component, which deleted crucial system files, replaced files, and rewrote file extensions. Their main purpose is to make the computer unbootable and cover the tracks of the infection.
During the latest attacks against Ukrainian banks, the KillDisk malware had also been altered to use the Windows GDI (Graphics Device Interface) and draw a picture inspired by the Mr. Robot TV series, showing the logo of the FSociety hacktivism group, portrayed in the show.
At one point in the TV show, the FSociety group also infected the eCorp bank network with ransomware. The same is now true for the TeleBots gang, who added a ransomware component to KillDisk, as an alternative to disk-wiping operations.
The main reasons for the aforementioned change is that it’s much easier to hide the gang’s tracks if KillDisk would pose as ransomware.
The victims would think they suffered a mundane ransomware infection and wouldn’t go looking for the TeleBots backdoor or other data exfiltration malware. Targets would restore from backup or pay the ransom and move on, trying to avoid the bad publicity.
The CyberX team claims that the KillDisk ransomware component now asks for the huge ransom demand of 222 Bitcoin ($215,000).
Besides, the KillDisk encryption system is very robust, encrypting each file with its own AES key, and then encrypting the AES key with a public RSA-1028 key.
To release the infected files, the victim must contact the TeleBots group via an email address, pay the ransom, and receive the private RSA key that decrypts all the files.