{
	"id": "b08c8752-7941-4b5a-906b-e737e14f9854",
	"created_at": "2026-04-06T00:08:31.256577Z",
	"updated_at": "2026-04-10T03:20:52.832911Z",
	"deleted_at": null,
	"sha1_hash": "40730e7e101a3d190ddb8e2ebb897f165052f4b2",
	"title": "KillDisk Variant Hits Latin American Financial Groups",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 259897,
	"plain_text": "KillDisk Variant Hits Latin American Financial Groups\r\nPublished: 2018-01-15 · Archived: 2026-04-05 16:16:04 UTC\r\nUpdated as of January 15, 11:58 PM PDT to clarify that the new variant of KillDisk we found does not have a\r\nransom note.\r\nWe came across a new variant of the disk-wiping KillDisk targeting financial organizations in Latin America.\r\nTrend Micro detects it as TROJ_KILLDISK.IUB. Trend Micro™ Deep Discoveryproducts™ proactively blocks\r\nany intrusions or attacks associated with this threat. Initial analysis (which is still ongoing) reveals that it may be a\r\ncomponent of another payload, or part of a bigger attack. We are still analyzing this new KillDisk variant and we\r\nwill update this post as we uncover more details about this threat.\r\nKillDisk, along with the multipurpose, cyberespionage-related BlackEnergyopen on a new tab, was used in\r\ncyberattacks in late December 2015 against Ukraine’s energy sectornews article as well as its banking, rail, and\r\nminingnews article industries. The malware has since metamorphosed into a threat used for digital\r\nextortionpredictions, affecting Windowsnews- cybercrime-and-digital-threats and Linuxnews- cybercrime-and-digital-threats platforms. The note accompanying the ransomware versions, like in the case of Petyanews-cybercrime-and-digital-threats, was a ruse: Because KillDisk also overwrites and deletes files (and don’t store the\r\nencryption keys on disk or online), recovering the scrambled files was out of the question. The new variant we\r\nfound, however, does not include a ransom note.\r\nFigure 1. KillDisk’s infection chain\r\nHow is it dropped in the system?\r\nThis KillDisk variant looks like it is intentionally dropped by another process/attacker. Its file path is hardcoded in\r\nthe malware (c:\\windows\\dimens.exe), which means that it is tightly coupled with its installer or is a part of a\r\nbigger package.\r\nhttps://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html\r\nPage 1 of 6\n\nFigure 2. The new KillDisk variant’s parameter to shut down the affected machine\r\nKillDisk also has a self-destruct process, although it isn’t really deleting itself. It renames its file to\r\nc:\\windows\\0123456789 while running. This string is hardcoded in the sample we analyzed. It expects its file path\r\nto be c:\\windows\\dimens.exe (also hardcoded). Accordingly, if disk forensics is performed and dimens.exe is\r\nsearched, the file that will be retrieved will be the newly created file with 0x00 byte content.\r\nHow does it delete files?\r\nThis new KillDisk variant goes through all logical drives (fixed and removable) starting from drive b:. If the\r\nlogical drive contains the system directory, the files and folders in the following directories and subdirectories are\r\nexempted from deletion:\r\nWINNT\r\nUsers\r\nWindows\r\nProgram Files\r\nProgram Files (x86)\r\nProgramData\r\nRecovery (case-sensitive check)\r\n$Recycle.Bin\r\nSystem Volume Information\r\nold\r\nPerfLogs\r\n \r\nBefore a file is deleted, it is first randomly renamed. KillDisk will overwrite the first 0x2800 bytes of the file and\r\nanother block that’s 0x2800-bytes big with 0x00.\r\nhttps://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html\r\nPage 2 of 6\n\nFigure 3. Code snippets showing how KillDisk overwrites then deletes files\r\nHow does it wipe the disk?\r\nThe malware attempts to wipe \\\\.\\PhysicalDrive0 to \\\\.\\PhysicalDrive4. It reads the Master Boot Record (MBR) of\r\nevery device it successfully opens and proceeds to overwrite the first 0x20 sectors of the device with “0x00”. It\r\nuses the information from the MBR to do further damage to the partitions it lists. If the partition it finds is not an\r\nextended one, it overwrites the first 0x10 and last sectors of the actual volume. If it finds an extended partition, it\r\nwill overwrite the Extended Boot Record (EBR) along with the two extra partitions it points to.\r\nhttps://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html\r\nPage 3 of 6\n\nFigure 4. Code snippets showing how KillDisk reads/scans the MBR (top, center), and overwrites the EBR\r\n(bottom)\r\nWhat happens after the MBR, files, and folders are overwritten and/or deleted?\r\nKillDisk has a numeric parameter that denotes the number of minutes (15 being the default) it will wait before it\r\nshuts down the affected machine. To try to reboot the machine, it will try to terminate these processes:\r\nClient/server run-time subsystem (csrss.exe)\r\nWindows Start-Up Application (wininit.exe)\r\nWindows Logon Application (winlogon.exe)\r\nLocal Security Authority Subsystem Service (lsass.exe)\r\n \r\nhttps://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html\r\nPage 4 of 6\n\nThis is done most likely to force a reboot or dupe the user into restarting the machine. Terminating csrss.exe and\r\nwininit.exe, for instance, will cause a blue screen of death (BSOD). Terminating winlogon.exe will prompt the\r\nuser to log in again, while terminating lsass.exe will cause a reboot. KillDisk also uses the ExitWindowsEx\r\nfunction to forcefully restart the machine.\r\nFigure 5. Code showing KillDisk forcefully rebooting the system\r\nWhat can organizations do?\r\nKillDisk’s destructive capabilities, and how it could be just a part of a bigger attack, highlight the significance of\r\ndefense in depth: securing the perimeters — from gateways, endpoints, and networks to servers — to further\r\nreduce the attack surface. Here are some best practices for organizations.\r\nKeep the system and its applications updated/patched to deter attackers from exploiting security gaps;\r\nconsider virtual patching for legacy systems.\r\nRegularly back up datanews article and ensure its integrity.\r\nEnforce the principle of least privilege. Network segmentationnews article and data categorizationnews\r\narticle help prevent lateral movement and further exposure.\r\nDeploy security mechanisms such as application controlproducts/whitelisting and behavior monitoring,\r\nwhich can block suspicious programs from running and thwart anomalous system modifications.\r\nProactively monitor the system and network; enable and employ firewallsnews article as well as intrusion\r\nprevention and detection systems.\r\nImplement a managed incident response policy that will drive proactive remediation strategies; further\r\nstrengthen the organization’s security posture by cultivating a cybersecurity-aware workplace.\r\n \r\nTrend Micro™ XGen™ securityproducts provides a cross-generational blend of threat defense techniques against\r\na full range of threats for data centersproducts, cloud environmentsproducts, networksproducts,\r\nand endpointsproducts. It features high-fidelity machine learning to secure the gateway and endpoint data and\r\napplications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering,\r\nbehavioral analysis, and custom sandboxing, XGen protects against today’s purpose-built threats that bypass\r\ntraditional controls and exploit known, unknown, or undisclosed vulnerabilities. Smart, optimized, and connected,\r\nXGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network\r\nDefense.\r\nRelated Hash (SHA-256):\r\n8a81a1d0fae933862b51f63064069aa5af3854763f5edc29c997964de5e284e5 — TROJ_KILLDISK.IUB\r\nhttps://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html\r\nPage 5 of 6\n\nSource: https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html\r\nhttps://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html"
	],
	"report_names": [
		"new-killdisk-variant-hits-financial-organizations-in-latin-america.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434111,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/40730e7e101a3d190ddb8e2ebb897f165052f4b2.pdf",
		"text": "https://archive.orkl.eu/40730e7e101a3d190ddb8e2ebb897f165052f4b2.txt",
		"img": "https://archive.orkl.eu/40730e7e101a3d190ddb8e2ebb897f165052f4b2.jpg"
	}
}