{ "id": "c309a48f-5d21-458d-879f-53e87be3d85f", "created_at": "2026-04-06T02:10:36.546574Z", "updated_at": "2026-04-10T03:37:09.113451Z", "deleted_at": null, "sha1_hash": "1d596a73dea96ad52b99df719b9f6213b300bd31", "title": "KillDisk Disk-Wiping Malware Adds Ransomware Component", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 737434, "plain_text": "KillDisk Disk-Wiping Malware Adds Ransomware Component\r\nBy Catalin Cimpanu\r\nPublished: 2016-12-29 ยท Archived: 2026-04-06 02:04:28 UTC\r\nA malware family previously used to sabotage computers by deleting and rewriting files has added a ransomware\r\ncomponent, now encrypting files and demanding a huge ransom.\r\nUntil now, the KillDisk malware family has been only associated with cyber-espionage and cyber-sabotage operations, most\r\nof which had been carried out in the industrial sector.\r\nThe group behind this malware is known under two names: Sandworm or TeleBots.\r\nThe Sandworm gang is known for its work on the Sandworm malware that targeted and sabotaged industrial control systems\r\n(ICS) and supervisory control and data acquisition (SCADA) industrial devices in the US in 2014.\r\nhttps://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nKillDisk previously used in cyber-espionage and cyber-sabotage operations\r\nIt is believed that the Sandworm gang later evolved into the TeleBots gang, which developed the TeleBots backdoor trojan,\r\nand the KillDisk disk-wiping malware.\r\nKillDisk gained some notoriety in the past two years because it was also used in 2015 and 2016 when another gang, the\r\nBlackEnergy cyber-espionage group used the malware to attack and sabotage Ukrainian companies activating in the energy,\r\nmining, and media sectors.\r\nCurrently, the connection between the BlackEnergy, a clearly state-sponsored cyber-espionage group, and the\r\nTeleBots/Sandworm gang is unknown.\r\nKillDisk used recently against Ukrainian banks\r\nWhat it is known is that the TeleBots gang has been involved in cyber-sabotage operations that have crippled the activities of\r\nseveral businesses around the world.\r\nThe most recent of these attacks were against Ukrainian banks. These attacks infected bank workers with the TeleBots\r\nbackdoor trojan via malicious email attachments. TeleBots is a unique malware because it uses the Telegram protocol to\r\ncommunicate with its operators.\r\nAfter collecting data from infected systems, such as passwords and important files, the TeleBots gang would deploy the\r\nKillDisk component, which deleted crucial system files, replaced files, and rewrote file extensions. The purpose was to\r\nmake the computer unbootable and also hide the intruder's tracks.\r\nIn the recent attacks against Ukrainian banks, the KillDisk malware had also been altered to use the Windows GDI\r\n(Graphics Device Interface) and draw a picture inspired by the Mr. Robot TV series, showing the logo of the FSociety\r\nhacktivism group, portrayed in the show.\r\nPicture displayed by KillDisk component [Source: ESET]\r\nAt one point in the TV show, the FSociety group also infected the eCorp bank network with ransomware. The same is now\r\ntrue for the TeleBots gang, who added a ransomware component to KillDisk, as an alternative to disk-wiping operations.\r\nhttps://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/\r\nPage 3 of 5\n\nKillDisk ransomware demands over $215,000\r\nThe reasons for this change is that it's much easier to hide the gang's tracks if KillDisk would pose as ransomware.\r\nTargets would think they suffered a mundane ransomware infection, and they wouldn't go looking for the TeleBots backdoor\r\nor other data exfiltration malware. Targets would restore from backup or pay the ransom and move on, trying to avoid the\r\nbad publicity.\r\nAccording to the team at CyberX, the KillDisk ransomware component shows the following message on infected computers\r\nand asks for a huge ransom demand of 222 Bitcoin, which is about $215,000.\r\nKillDisk ransom note [Source: CyberX]\r\nThe KillDisk encryption system is also very robust, encrypting each file with its own AES key, and then encrypting the AES\r\nkey with a public RSA-1028 key.\r\nTo unlock the files, the victim must contact the TeleBots gang via an email address, pay the ransom, and receive the private\r\nRSA key that decrypts all the files.\r\nThe ransom demand is huge compared to other ransomware variants, but higher ransom demands are normal in targeted\r\nattacks such as these, where the crooks might attempt to extort the target in subsequent email conversations, threatening to\r\ndump sensitive files they stole via the TeleBots backdoor.\r\nhttps://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/\r\nhttps://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/" ], "report_names": [ "killdisk-disk-wiping-malware-adds-ransomware-component" ], "threat_actors": [ { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775441436, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1d596a73dea96ad52b99df719b9f6213b300bd31.pdf", "text": "https://archive.orkl.eu/1d596a73dea96ad52b99df719b9f6213b300bd31.txt", "img": "https://archive.orkl.eu/1d596a73dea96ad52b99df719b9f6213b300bd31.jpg" } }