We all remember Petya/NotPetya. How could you forget? The nasty malware took cues from WannaCry, leveraging the same SMB vulnerability. But instead of locking away files, Petya/NotPetya was a wiper – simply cleaning devices of their data. Petya was not the first wiper we’ve seen, and it’s certainly not the last. In fact, a classic disk wiper is currently re-emerging in Latin America, called KillDisk, and is targeting financial firms. Once dropped on a computer, it will load itself into memory, delete its files from disk, and rename itself.
KillDisk is actually one of the most infamous malware families around. It has historically masked itself as ransomware, but is rather a very destructive wiper. Cybercriminals typically deploy it in the later stages of an infection so they can use it to hide their tracks by wiping disks and destroying forensic evidence. That’s precisely why it was paired together with the BlackEnergy malware during Telebots’ attacks on the Ukrainian power grid – so the cybercriminals could conduct their scheme with stealth.
As Christiaan Beek, lead scientist and principal engineer at McAfee claims – that’s a wiper’s bread and butter. He says, “In the past we have seen wipers being used targeting the Energy sector in the Ukraine, Oil & Gas industry in the Middle-East, Media-company and against targets in South Korea. All of these were related to regional or political conflicts.”
Destruction is clearly the end goal, but stealth is the way of getting there. Beek continues, “In 2017, we introduced the term pseudo-ransomware where destructive attacks disguised as ransomware either took down companies in a nation or were used to keep the IT-department busy while money was being transferred at the same time. Now with KillDisk, it seems that criminals do not hesitate to use it during their campaigns. Since the initial infection vector is unknown and we are lacking further samples or details, we can only speculate why they are using this.”
That’s the ultimate question – why? Is KillDisk part of a larger attack, intended to help cybercriminals avoid detection? Or are crooks extorting these financial institutions for monetary gain? As of now, we’re unsure of the motive. But we do know that as this threat continues to evolve and creates a convincing smoke screen, we all must be as vigilant as ever.