**Go to…** **▼** **[Home » Malware » New KillDisk Variant Hits Financial Organizations in Latin America](https://blog.trendmicro.com/trendlabs-security-intelligence/)** **Featured Stories** ## New KillDisk Variant Hits Financial Organizations in Latin systemd Vulnerability Leads to Denial of Service onLinux America **qkG Filecoder: Self-Replicating, Document-** **[Posted on: January 15, 2018](https://blog.trendmicro.com/trendlabs-security-intelligence/2018/01/)** **at 8:00** **[Posted in: Malware](https://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/)** **Author: Trend** **Encrypting Ransomware** **am** **Micro** **Mitigating CVE-2017-5689, an Intel Management** **_by Gilbert Sison, Rheniel Ramos, Jay Yaneza, and Alfredo_** **Engine Vulnerability** **_Oliveira_** **[A Closer Look at North Korea’s Internet](http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-north-koreas-internet/)** **We came across a new variant of the disk-wiping KillDisk targeting** **[From Cybercrime to Cyberpropaganda](http://blog.trendmicro.com/trendlabs-security-intelligence/from-cybercrime-to-cyberpropaganda/)** **financial organizations in Latin America. Trend Micro detects it as** **[TROJ_KILLDISK.IUB. Trend Micro™ Deep Discovery™ proactively](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_KILLDISK.IUB)** **blocks any intrusions or attacks associated with this threat. Initial** **Security Predictions for 2018** **analysis (which is still ongoing) reveals that it may be a component** **of another payload, or part of a bigger attack. We are still analyzing** **this new KillDisk variant and we will update this post as we uncover** **more details about this threat.** **[KillDisk, along with the multipurpose, cyberespionage-related BlackEnergy, was used in cyberattacks in](http://blog.trendmicro.com/trendlabs-security-intelligence/killdisk-and-blackenergy-are-not-just-energy-sector-threats/)** **[late December 2015 against Ukraine’s energy sector as well as its banking, rail, and mining industries.](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/first-malware-driven-power-outage-reported-in-ukraine)** **[The malware has since metamorphosed into a threat used for digital extortion, affecting Windows and](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2018)** **Attackers are banking on network** **vulnerabilities and inherent weaknesses to** **[Linux platforms. The ransom note, like in the case of](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-1-13-2017)** **[Petya, was a ruse: Because KillDisk overwrites](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/frequently-asked-questions-the-petya-ransomware-outbreak)** **facilitate massive malware attacks, IoT** **and deletes files (and doesn’t store the encryption keys on disk or online), recovering the scrambled** **hacks, and operational disruptions. The** **files was out of the question.** **ever-shifting threats and increasingly** **expanding attack surface will challenge** **users and enterprises to catch up with** **their security.** **[Read our security predictions for 2018.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2018)** #### Business Process Compromise **Attackers are starting to invest in long-** **term operations that target specific** **processes enterprises rely on. They scout** **for vulnerable practices, susceptible** **_Figure 1: KillDisk’s infection chain_** **systems and operational loopholes that** **they can leverage or abuse. To learn** **_How is it dropped in the system?_** **more, read our Security 101: Business Process** **This KillDisk variant looks like it is intentionally dropped by another process/attacker. Its file path is** **Compromise.** **hardcoded in the malware (c:\windows\dimens.exe), which means that it is tightly coupled with its** **installer or is a part of a bigger package.** #### Latest Ransomware Posts qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware Bad Rabbit Ransomware Spreads via Network, Hits Ukraine and Russia A Look at Locky Ransomware’s Recent Spam Activities Magnitude Exploit Kit Now Targeting **_Figure 2: The new KillDisk variant’s parameter to shut down the affected machine_** #### South Korea With Magniber Ransomware **KillDisk also has a self-destruct process, although it isn’t really deleting itself. It renames its file to** #### WannaCry Ransomware Sold in the **_c:\windows\0123456789 while running. This string is hardcoded in the sample we analyzed. It expects_** #### Middle Eastern and North African **its file path to be c:\windows\dimens.exe (also hardcoded). Accordingly, if disk forensics is performed** **Underground** **and dimens.exe is searched, the file that will be retrieved will be the newly created file with 0x00 byte** ----- **New KillDisk Variant Hits Financial Organizations in** **Update on Pawn Storm: New Targets and Politically** **[New Mobile Malware Uses Layered Obfuscation](https://blog.trendmicro.com/trendlabs-security-intelligence/new-mobile-malware-uses-layered-obfuscation-targets-russian-banks/)** **[January’s Patch Tuesday Fixes 56 Security Issues,](https://blog.trendmicro.com/trendlabs-security-intelligence/januarys-patch-tuesday-fixes-56-security-issues-including-meltdown-spectre/)** **This infographic shows how ransomware** **has evolved, how big the problem has** **become, and ways to avoid being a** **[Digmine Cryptocurrency Miner Spreading via](https://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/)** **[The Need for Better Built-in Security in IoT Devices](https://blog.trendmicro.com/trendlabs-security-intelligence/iot-devices-need-better-builtin-security/)** **[Update on Pawn Storm: New Targets and Politically](https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/)** **[Apps Disguised as Security Tools Bombard Users](https://blog.trendmicro.com/trendlabs-security-intelligence/apps-disguised-security-tools-bombard-users-ads-track-users-location/)** **With Ads and Track Users’ Location** **[When Speculation Is Risky: Understanding](https://blog.trendmicro.com/trendlabs-security-intelligence/speculation-risky-understanding-meltdown-spectre/)** **Cybercriminals sell an array of travel** **essentials, from plane tickets to fake travel** **documents. Learn how you can p…** **New post: UK Conviction Arises out of** **Trend Micro and NCA Partnership** **[@TrendMicro](https://twitter.com/TrendMicro)** **#FakeBank targets Russian banking apps** **and can potentially steal funds using** **intercepted SMS. More here:…** **Email Subscription** **Your email here** # bb **the logical drive contains the system directory, the files and folders in the following directories and** **New KillDisk Variant Hits Financial Organizations in** **subdirectories are exempted from deletion:** **Latin America** **_WINNT_** **Update on Pawn Storm: New Targets and Politically** **Motivated Campaigns** **_Users_** **_Windows_** **[New Mobile Malware Uses Layered Obfuscation](https://blog.trendmicro.com/trendlabs-security-intelligence/new-mobile-malware-uses-layered-obfuscation-targets-russian-banks/)** **and Targets Russian Banks** **_Program Files_** **_Program Files (x86)_** **[January’s Patch Tuesday Fixes 56 Security Issues,](https://blog.trendmicro.com/trendlabs-security-intelligence/januarys-patch-tuesday-fixes-56-security-issues-including-meltdown-spectre/)** **Including Meltdown and Spectre** **_ProgramData_** **_Recovery (case-sensitive check)_** #### Ransomware 101 **_$Recycle.Bin_** **_System Volume Information_** **_old_** **_PerfLogs_** **Before a file is deleted, it is first randomly renamed. KillDisk will overwrite the first 0x2800 bytes of the** **file and another block that’s 0x2800-bytes big with 0x00.** **This infographic shows how ransomware** **has evolved, how big the problem has** **become, and ways to avoid being a** **ransomware victim.** **[Check the infographic](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-101-what-it-is-and-how-it-works)** #### Popular Posts **[Digmine Cryptocurrency Miner Spreading via](https://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/)** **Facebook Messenger** **[The Need for Better Built-in Security in IoT Devices](https://blog.trendmicro.com/trendlabs-security-intelligence/iot-devices-need-better-builtin-security/)** **[Update on Pawn Storm: New Targets and Politically](https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/)** **Motivated Campaigns** **[Apps Disguised as Security Tools Bombard Users](https://blog.trendmicro.com/trendlabs-security-intelligence/apps-disguised-security-tools-bombard-users-ads-track-users-location/)** **With Ads and Track Users’ Location** **[When Speculation Is Risky: Understanding](https://blog.trendmicro.com/trendlabs-security-intelligence/speculation-risky-understanding-meltdown-spectre/)** **Meltdown and Spectre** **_Figure 3: Code snippets showing how KillDisk overwrites then deletes files_** **Latest Tweets** **_How does it wipe the disk?_** **The malware attempts to wipe \\.\PhysicalDrive0 to \\.\PhysicalDrive4. It reads the Master Boot Record** **Cybercriminals sell an array of travel** **essentials, from plane tickets to fake travel** **(MBR) of every device it successfully opens and proceeds to overwrite the first 0x20 sectors of the** **documents. Learn how you can p…** **device with “0x00”. It uses the information from the MBR to do further damage to the partitions it lists. If** **[twitter.com/i/web/status/9…](https://t.co/dgVvDzF3Rt)** **[about 4 hours ago](http://twitter.com/TrendLabs/status/953069295633944577)** **the partition it finds is not an extended one, it overwrites the first 0x10 and last sectors of the actual** **volume. If it finds an extended partition, it will overwrite the Extended Boot Record (EBR) along with the** **New post: UK Conviction Arises out of** **two extra partitions it points to.** **Trend Micro and NCA Partnership** **[bit.ly/2mHKN8R](https://t.co/kHAkNq3BMe)** **[@TrendMicro](https://twitter.com/TrendMicro)** **[about 5 hours ago](http://twitter.com/TrendLabs/status/953062069972152323)** **#FakeBank targets Russian banking apps** **and can potentially steal funds using** **intercepted SMS. More here:…** **[twitter.com/i/web/status/9…](https://t.co/Bnc1JMrfdh)** **[about 12 hours ago](http://twitter.com/TrendLabs/status/952948500496601088)** #### Stay Updated **Email Subscription** **Your email here** **_Figure 4: Code snippets showing how KillDisk reads/scans the MBR (top, center), and overwrites the_** **_EBR (bottom)_** ----- **processes:** **Client/server run-time subsystem (csrss.exe)** **Windows Start-Up Application (wininit.exe)** **Windows Logon Application (winlogon.exe)** **Local Security Authority Subsystem Service (lsass.exe)** **This is done most likely to force a reboot or dupe the user into restarting the machine. Terminating** **csrss.exe and wininit.exe, for instance, will cause a blue screen of death (BSOD). Terminating** **winlogon.exe will prompt the user to log in again, while terminating lsass.exe will cause a reboot.** **[KillDisk also uses the ExitWindowsEx function to forcefully restart the machine.](https://msdn.microsoft.com/en-us/library/windows/desktop/aa376868(v=vs.85).aspx)** **_Figure 5: Code showing KillDisk forcefully rebooting the system_** **_What can organizations do?_** **KillDisk’s destructive capabilities, and how it could be just a part of a bigger attack, highlight the** **significance of defense in depth: securing the perimeters — from gateways, endpoints, and networks to** **servers — to further reduce the attack surface. Here are some best practices for organizations.** **Keep the system and its applications updated/patched to deter attackers from exploiting security** **[gaps; consider virtual patching for legacy systems.](https://www.trendmicro.com/en_ca/business/capabilities/intrusion-prevention.html)** **[Regularly back up data and ensure its integrity.](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/best-practices-backing-up-data)** **[Enforce the principle of least privilege. Network segmentation and data categorization help prevent](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/protecting-data-through-network-segmentation)** **lateral movement and further exposure.** **Deploy security mechanisms such as** **[application control/whitelisting and behavior monitoring,](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint/endpoint-application-control.html)** **which can block suspicious programs from running and thwart anomalous system modifications.** **[Proactively monitor the system and network; enable and employ firewalls as well as intrusion](https://www.trendmicro.com/vinfo/us/security/news/security-technology/best-practices-deploying-an-effective-firewall)** **prevention and detection systems.** **[Implement a managed incident response policy that will drive proactive remediation strategies;](http://blog.trendmicro.com/trendlabs-security-intelligence/four-steps-to-an-effective-targeted-attack-response/)** **further strengthen the organization’s security posture by cultivating a cybersecurity-aware** **workplace.** **[Trend Micro™ XGen™ security provides a cross-generational blend of threat defense techniques](https://www.trendmicro.com/en_us/business/products/all-solutions.html)** **[against a full range of threats for data centers, cloud environments, networks, and endpoints. It](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security-data-center.html)** **[features high-fidelity machine learning to secure the gateway and endpoint data and applications, and](http://www.trendmicro.com/us/business/complete-user-protection/index.html)** **protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral** **analysis, and custom sandboxing, XGen protects against today’s purpose-built threats that bypass** **[traditional controls and exploit known, unknown, or undisclosed vulnerabilities. Smart, optimized, and](https://www.trendmicro.com/us/enterprise/product-security/vulnerability-protection/)** **connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User** **Protection, and Network Defense.** **_Related Hash (SHA-256):_** **8a81a1d0fae933862b51f63064069aa5af3854763f5edc29c997964de5e284e5 —** **[TROJ_KILLDISK.IUB](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_KILLDISK.IUB)** ### Related Posts: **[Large-Scale Petya Ransomware Attack In Progress, Hits Europe Hard](https://blog.trendmicro.com/trendlabs-security-intelligence/large-scale-ransomware-attack-progress-hits-europe-hard/)** **App Stores that Formerly Coddled ZNIU Found Distributing a New iXintpwn/YJSNPI** **Variant** **[New RETADUP Variants Hit South America, Turn To Cryptocurrency Mining](https://blog.trendmicro.com/trendlabs-security-intelligence/new-retadup-variants-hit-south-america-turn-cryptocurrency-mining/)** **[Massive WannaCry/Wcry Ransomware Attack Hits Various Countries](https://blog.trendmicro.com/trendlabs-security-intelligence/massive-wannacrywcry-ransomware-attack-hits-various-countries/)** **Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:** **[ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html)** **»** **[SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html)** **»** **[HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html)** **»** ----- **[HOME AND HOME OFFICE](http://www.trendmicro.com/us/home/index.html)** **|** **[FOR BUSINESS](http://www.trendmicro.com/us/business/index.html)** **|** **[SECURITY INTELLIGENCE](http://www.trendmicro.com/us/security-intelligence/index.html)** **|** **[ABOUT TREND MICRO](http://www.trendmicro.com/us/about-us/index.html)** **[Asia Pacific Region (APAC): Australia / New Zealand, ��, ��, 대한민국](http://www.trendmicro.com.au/au/home/index.html)** **[, ��](http://tw.trendmicro.com/tw/home/index.html)** **[Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html)** **[North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html)** **[Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/)** **[Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html)** **[Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html)** **Copyright © 2018 Trend Micro Incorporated. All rights reserved.** -----