{"id":67910,"date":"2017-01-19T17:07:57","date_gmt":"2017-01-20T01:07:57","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=67910"},"modified":"2025-05-27T20:30:30","modified_gmt":"2025-05-28T03:30:30","slug":"analyzing-killdisk-ransomware-part-1-whitelisting","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/","title":{"rendered":"Analyzing KillDisk Ransomware, Part 1: Whitelisting"},"content":{"rendered":"<p><em>This blog post was written by Sudhanshu Dubey.<\/em><\/p>\n<p style=\"text-align: justify;\">At McAfee Labs we recently analyzed the ransomware KillDisk. We will share our analysis in two parts: the first, this article, contains general information about the malware and its whitelisting technique; the second part will appear soon with an analysis of its variants and techniques, including how to unlock the locked screen in an infected system (with a demo video).<\/p>\n<p style=\"text-align: justify;\">KillDisk demands a pretty high ransom: 222 Bitcoins (around US$170,000).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67912 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Ransomwarenote-Copy.png\" alt=\"KillDisk Ransom-note (Infected Machine)\" width=\"1272\" height=\"500\" border=\"1\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Ransomwarenote-Copy.png 1272w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Ransomwarenote-Copy-300x118.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Ransomwarenote-Copy-768x302.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Ransomwarenote-Copy-1024x403.png 1024w\" sizes=\"auto, (max-width: 1272px) 100vw, 1272px\" \/><\/p>\n<p style=\"text-align: center;\"><em>The KillDisk ransom note.\u00a0<\/em><\/p>\n<p style=\"text-align: left;\">KillDisk is data-wiping malware, and is generally used by other malware to hide their artifacts from an infected system. BlackEnergy is one brand of malware that uses KillDisk.<\/p>\n<p style=\"text-align: justify;\">Recently, the author of KillDisk enhanced the malware by adding the ransomware capability. This ransomware targets both Windows and Linux systems. It encrypts files, blocks the screen, and demands an unusually high ransom. We analyzed the Windows variant and found some interesting things.<\/p>\n<h2 style=\"text-align: left;\"><strong>Analysis<\/strong><\/h2>\n<p style=\"text-align: justify;\">During our analysis of KillDisk, we saw little file system activity. To remove its(or its component&#8217;s) execution traces from the infected system, KillDisk uses the Windows event utility (wevtutil).\u00a0One statement from Microsoft about wevtutil:<\/p>\n<p style=\"text-align: justify; padding-left: 30px;\">\u201cWevtutil enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs.\u201d<\/p>\n<p>KillDisk executes these commands before starting its encryption process:<\/p>\n<ul>\n<li>wevtutil clear-log application<\/li>\n<li>wevtutil clear-log security<\/li>\n<li>wevtutil clear-log setup<\/li>\n<li>wevtutil clear-log system<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">This malware has a complex routine that decrypts the DLL names, API names, file extensions, process names, and other strings including the preceding commands. This screenshot illustrates:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67915 size-full aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Decryption-Routine-Copy.png\" alt=\"Decryption Routine\" width=\"866\" height=\"284\" border=\"1\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Decryption-Routine-Copy.png 866w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Decryption-Routine-Copy-300x98.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Decryption-Routine-Copy-768x252.png 768w\" sizes=\"auto, (max-width: 866px) 100vw, 866px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Decryption routine.<\/em><\/p>\n<p>KillDisk targets the following files:<\/p>\n<p style=\"padding-left: 30px;\">.pdb .vbm .vbk .dat .crt .key .kdbx .bak .back .dr .bkf .cfg .fdb .mdb .accdb .gdb .wdb .csv .sdf .myd .dbf .sql .edb .mdf .ib .db3 .db4 .accdc .mdbx .sl3 .sqlite3 .nsn .dbc .dbx .sdb .ibz .sqlite .ova .vmdk .vhd .vmem .vdi .vhdx .vmx .ovf .vmc .vmfx .vmxf .hdd .vbox .vcb .vmsd .vfd .pvi .hdd .bin .avhd .vsv \u00a0.iso .nrg .disk .hdd .pmf .vmdk .xvd .dev .pem .jrs .cer .pvk .pfx .pd .pio .csr .crl .p7c .piz .p7b .spc .p7r .io .pyc .dwg .max .dxf .3ds .ai .conf .my .ost .pst .mkv .mp3 .wav .oda .sh .py .ps .ps1 .php .aspx .asp .rb .js .git .mdf .pdf .djvu .doc .docx .xls .xlsx .jar .ppt .pptx .rtf .vsd .vsdx .jpeg .jpg .png . tiff .msi .zip .rar\u00a0 .7z .tar .gz .eml .mail .ml<\/p>\n<p style=\"text-align: left;\">After encryption, the files have the same extensions but the data is encrypted, with the addition of 0x98 bytes at the end of each file. The first 0x80 bytes are related to the key and the next 0x18 bytes are the ransomware message, shown below<\/p>\n<p>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0DoN0t0uch7h!$CrYpteDfilE<\/p>\n<p style=\"text-align: justify;\">KillDisk also uses these 0x18 bytes as an infection marker, to avoid multiple encryptions of already locked files. The following screenshot shows the appended data in an encrypted file:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-67913 size-full aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Appended-Bytes-Copy.png\" alt=\"Appended Data\/Signature in Encrypted file\" width=\"1273\" height=\"321\" \/><\/p>\n<p style=\"text-align: center;\"><em>The appended data\/signature in an encrypted file.<\/em><\/p>\n<h2><strong>Whitelisting to avoid analysis<\/strong><\/h2>\n<p style=\"text-align: justify;\">We have observed some malware use blacklisting methods to kill analysis tools: If they find antimalware or related applications, they will terminate that process. But this malware uses the opposite technique of whitelisting: It maintains a list of benign processes, checks the system for them, and stores their process IDs (PIDs) along with its PID. After generating the PID list, the malware again enumerates the running processes and terminates those that are not on its generated PID list.<\/p>\n<p style=\"text-align: left;\">The following chart illustrates both blacklist and whitelist techniques:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67914 \" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/BlackList_FlowChart.png\" alt=\"Blacklist Flowchart\" width=\"344\" height=\"609\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/BlackList_FlowChart.png 389w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/BlackList_FlowChart-169x300.png 169w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/BlackList_FlowChart-282x500.png 282w\" sizes=\"auto, (max-width: 344px) 100vw, 344px\" \/>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-67918 \" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/WhiteList_Flowchart.png\" alt=\"WhiteList Guard Flowchart\" width=\"345\" height=\"754\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/WhiteList_Flowchart.png 345w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/WhiteList_Flowchart-137x300.png 137w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/WhiteList_Flowchart-229x500.png 229w\" sizes=\"auto, (max-width: 345px) 100vw, 345px\" \/><\/p>\n<p><em>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Blacklist flowchart. \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Whitelist flowchart.<\/em><\/p>\n<p style=\"text-align: justify;\">The whitelist technique works pretty well under automation environments such as the Cuckoo sandbox, etc.<\/p>\n<h2 style=\"text-align: left;\"><strong>Debugger evasion via whitelist<\/strong><\/h2>\n<p style=\"text-align: justify;\">The malware retrieves its PID using the GetCurrentProcessId function so that while debugging the process in any debugger\u2014OLLY, IDA, etc.\u2014the function will return the malware\u2019s PID and not the debugger\u2019s. Thus, the PID whitelist created by the malware will not contain the debugger\u2019s PID. When the malware executes its termination routine using TerminateProcess API, the debugger&#8217;s process will be killed.<\/p>\n<p style=\"text-align: justify;\">The following screenshot shows disassembly of the code that\u00a0terminates calc.exe because the process name is not on malware\u2019s whitelist.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-67917 size-full aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/TerminateProcess-Copy.png\" alt=\"Terminating calc.exe\" width=\"681\" height=\"322\" border=\"1\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/TerminateProcess-Copy.png 681w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/TerminateProcess-Copy-300x142.png 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Terminating\u00a0calc.exe.<\/em><\/p>\n<p style=\"text-align: justify;\">However, we see not only the termination of the debugger process, but also of the child-sample process. We did not expect this behavior because the malware is using the TerminateProcess() API, which kills only the specified process not child processes.<\/p>\n<p style=\"text-align: justify;\"><strong>Why are the child processes also terminated?<\/strong>\u00a0It\u2019s because of how the debugger creates its child processes. The debugger creates its child processes using specific creation flags related to debugging. The debugger uses the\u00a0DEBUG_ONLY_THIS_PROCESS\/DEBUG_PROCESS flag while calling the CreateProcess() API. Due to this flag, when the parent process gets terminated, the child processes die as well.<\/p>\n<p style=\"text-align: left;\">KillDisk&#8217;s whitelist consists of Windows and antimalware process names, including McAfee products.<\/p>\n<p style=\"text-align: left;\"><strong>Why are antimalware process names part of the malware&#8217;s whitelist?<\/strong>\u00a0It may be because AV products generally use protection techniques so that other processes can\u2019t kill their processes, and they may check on any process that wants to kill their processes. We think the malware author does not want to give the AV processes any indication of the malware&#8217;s existence.<\/p>\n<p style=\"text-align: left;\">The whitelisted process names:<\/p>\n<p style=\"text-align: left; padding-left: 30px;\">smss.exe, csrss.exe, wininit.exe, services.exe, lsass.exe, lsm.exe, svchost.exe, winlogon.exe, explorer.exe, dwm.exe, wuauclt.exe,spoolss.exe, spoolsv.exe, taskhost.exe, conhost.exe, shutdown.exe, avp.exe, avpui.exe, ekrn.exe, egui.exe, <span style=\"color: red;\">mfemmc.exe,<\/span> mfefire.exe, mfevtps.exe, pefservice.exe, mcsvhost.exe, msascui.exe, msmpeng.exe, mpcmdrun.exe<\/p>\n<p style=\"text-align: left;\">There is a typo in this list related to one McAfee process name. Our mfemms.exe is part of the McAfee Management service, but the malware looks for the process name mfemmc.exe.<\/p>\n<h2 style=\"text-align: left;\"><strong>Conclusion<\/strong><\/h2>\n<p style=\"text-align: justify;\">KillDisk is new to the world of ransomware. It has implemented a whitelisting technique to protect itself, although it looks unstable because it kills all the other processes in the system. This malware has some coding bugs but can still badly harm its victims by encrypting files and demanding a huge ransom. This might be a beta\u00a0version of this malware; we could see an updated version in the near future.<\/p>\n<p style=\"text-align: justify;\">The second part of this post will contain our analysis of the malware&#8217;s other variants, along with some techniques including how to unlock the locked screen on an infected system (with a demo video).<\/p>\n<p style=\"text-align: justify;\">McAfee products detect all known variants of this malware.<\/p>\n<p><em>Thanks to Vikas Taneja for his valuable input.<\/em><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog post was written by Sudhanshu Dubey. At McAfee Labs we recently analyzed the ransomware KillDisk. We will share&#8230;<\/p>\n","protected":false},"author":695,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[76,338,180,4549],"coauthors":[4136],"class_list":["post-67910","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-cybercrime","tag-endpoint-protection","tag-malware","tag-ransomware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Analyzing KillDisk Ransomware, Part 1: Whitelisting | McAfee Blog<\/title>\n<meta name=\"description\" content=\"This blog post was written by Sudhanshu Dubey. At McAfee Labs we recently analyzed the ransomware KillDisk. We will share our analysis in two parts: the\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Analyzing KillDisk Ransomware, Part 1: Whitelisting | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"This blog post was written by Sudhanshu Dubey. At McAfee Labs we recently analyzed the ransomware KillDisk. We will share our analysis in two parts: the\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-01-20T01:07:57+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-28T03:30:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Ransomwarenote-Copy.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1272\" \/>\n\t<meta property=\"og:image:height\" content=\"500\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Analyzing KillDisk Ransomware, Part 1: Whitelisting\",\"datePublished\":\"2017-01-20T01:07:57+00:00\",\"dateModified\":\"2025-05-28T03:30:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/\"},\"wordCount\":1106,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Ransomwarenote-Copy.png\",\"keywords\":[\"cybercrime\",\"endpoint protection\",\"malware\",\"ransomware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/\",\"name\":\"Analyzing KillDisk Ransomware, Part 1: Whitelisting | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Ransomwarenote-Copy.png\",\"datePublished\":\"2017-01-20T01:07:57+00:00\",\"dateModified\":\"2025-05-28T03:30:30+00:00\",\"description\":\"This blog post was written by Sudhanshu Dubey. At McAfee Labs we recently analyzed the ransomware KillDisk. We will share our analysis in two parts: the\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Ransomwarenote-Copy.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Ransomwarenote-Copy.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Analyzing KillDisk Ransomware, Part 1: Whitelisting\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analyzing KillDisk Ransomware, Part 1: Whitelisting | McAfee Blog","description":"This blog post was written by Sudhanshu Dubey. At McAfee Labs we recently analyzed the ransomware KillDisk. We will share our analysis in two parts: the","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Analyzing KillDisk Ransomware, Part 1: Whitelisting | McAfee Blog","og_description":"This blog post was written by Sudhanshu Dubey. At McAfee Labs we recently analyzed the ransomware KillDisk. We will share our analysis in two parts: the","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2017-01-20T01:07:57+00:00","article_modified_time":"2025-05-28T03:30:30+00:00","og_image":[{"width":1272,"height":500,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Ransomwarenote-Copy.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Analyzing KillDisk Ransomware, Part 1: Whitelisting","datePublished":"2017-01-20T01:07:57+00:00","dateModified":"2025-05-28T03:30:30+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/"},"wordCount":1106,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Ransomwarenote-Copy.png","keywords":["cybercrime","endpoint protection","malware","ransomware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/","name":"Analyzing KillDisk Ransomware, Part 1: Whitelisting | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Ransomwarenote-Copy.png","datePublished":"2017-01-20T01:07:57+00:00","dateModified":"2025-05-28T03:30:30+00:00","description":"This blog post was written by Sudhanshu Dubey. At McAfee Labs we recently analyzed the ransomware KillDisk. We will share our analysis in two parts: the","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Ransomwarenote-Copy.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Ransomwarenote-Copy.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Analyzing KillDisk Ransomware, Part 1: Whitelisting"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/67910","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=67910"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/67910\/revisions"}],"predecessor-version":[{"id":214506,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/67910\/revisions\/214506"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=67910"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=67910"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=67910"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=67910"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}