{"id":68533,"date":"2017-02-13T23:50:13","date_gmt":"2017-02-14T07:50:13","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=68533"},"modified":"2025-05-27T20:29:34","modified_gmt":"2025-05-28T03:29:34","slug":"analyzing-killdisk-ransomware-part-2-variants-screen-unlocking","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/","title":{"rendered":"Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking"},"content":{"rendered":"<p><em>This blog post was written by Sudhanshu Dubey.<\/em><\/p>\n<p>At McAfee Labs we recently analyzed the ransomware KillDisk.\u00a0In <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/\">part 1<\/a> of this analysis, we discussed the basics of the\u00a0malware and its whitelisting to protect itself. In this part, we will provide more information about the malware&#8217;s internals, this variant, and steps to unlock\u00a0the ransomware lock screen.<\/p>\n<p><strong>Variant 1.\u00a0<\/strong>This variant seems to be inspired by the TV series \u201cMr. Robot.\u201d The lock screen uses the string \u201cWe are fSociety\u201d:<\/p>\n<p style=\"text-align: center;\"><em>The KillDisk ransom note.<\/em><\/p>\n<p>While analyzing the encryption process of this variant, we observed some strange behavior. In contrast to Variant 2, this one behaved more like a destroyer, overwriting all the files with specific\u00a0bytes. This step makes the data irrecoverable. Hence this variant\u2019s block screen has no payment information. Instead, it appeals to victims to join them.<\/p>\n<p><strong>Variant 2.\u00a0<\/strong>This variant works like normal ransomware, encrypting data files. It keeps the encrypted data in each locked file along with some more bytes including an infection marker. For more information about this variant, refer to\u00a0<a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/analyzing-killdisk-ransomware-part-1-whitelisting\/\">Part 1<\/a> of this post.<\/p>\n<h2><strong>Analysis<\/strong><\/h2>\n<p>Although the encryption of both the variants is different, they show the same arguments and behavior based on those arguments. We found three arguments, which we shall discuss.<\/p>\n<ul>\n<li><strong>-set<\/strong><\/li>\n<li><strong>-est<\/strong><\/li>\n<li><strong>-opt<\/strong><\/li>\n<\/ul>\n<p>KillDisk\u00a0uses these arguments in key-value pairs and checks the values for the given key.<\/p>\n<p><strong>-est.\u00a0<\/strong>The value of this argument is in minutes. This argument is used to store the &#8220;current time + minutes&#8221; in the registry.<\/p>\n<p><strong>-set.\u00a0<\/strong>This argument is used to create service and registry entries. It receives the value in Date#Time format (for example, &#8220;-set=20.12.2016#05:00&#8221;) to fill the registry entry it creates. Before proceeding, it tries to get the handle of the event using OpenEvent() API, to check whether the malware is already executed. The event name has the following format:<\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Global\\{CLSID}<\/strong><\/p>\n<p>If the malware\u00a0finds the event, it first cleans up the registry and deletes the service. It then recreates the service and the registry with updated values.<\/p>\n<p>The malware\u00a0uses the WinExec() API to execute the sc command, which creates a service whose binary path is set to itself, along with argument -opt=svc. (We will explain later.)<\/p>\n<p style=\"text-align: center;\"><em>Calling WinExec() to create a service.<\/em><\/p>\n<p>Both variants have different service names. The following screenshots show the services created by the variants.<\/p>\n<p style=\"text-align: center;\"><em>Services installed by KillDisk (both variants).<\/em><\/p>\n<p>Comparing the registry keys created by the variants, we infer that they have different names and paths. But the data in the registry values are the same and have been filled using the same method. KillDisk uses \u2013set and \u2013est argument values passed to the executable. It creates three registry values that store time, in TimeStamp format, that is, seconds since 1\/1\/1970.\u00a0Here is more information about registry values:<\/p>\n<p>First registry value \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 : \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Current time<\/p>\n<p>Second registry value \u00a0 \u00a0 \u00a0 \u00a0: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Time given with -set argument<\/p>\n<p>Third registry value \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 : \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Current time + minutes given in -est argument<\/p>\n<p>The following screenshot shows the registry entries created by the malware when executing with the arguments -set=20.12.2016#05:00 -est=1440:<\/p>\n<p style=\"text-align: center;\"><em>Registry entries.<\/em><\/p>\n<p>Both the variants use different registry path, key and value names.<\/p>\n<p><strong>-opt.\u00a0<\/strong>This argument has five values:<\/p>\n<ul>\n<li>frc<\/li>\n<li>chk<\/li>\n<li>cnc<\/li>\n<li>svc<\/li>\n<li>pic<\/li>\n<\/ul>\n<p>The malware&#8217;s behavior depends on the values of this argument, which the malware keeps in encrypted form. Before comparing the argument values, KillDisk first decrypts them. The following code snippet shows the decryption and comparison of argument values:<\/p>\n<p style=\"text-align: center;\"><em>Decrypting and comparing -opt argument values.<\/em><\/p>\n<p>Let\u2019s see how the malware behaves with different argument values.<\/p>\n<p><strong>-opt=pic.\u00a0<\/strong>This value leads to the creation of the ransom note and locking the screen. The malware imports functions from GDI32.dll and User32.dll to design the image. It opens a window using the CreateWindow() API and then creates the image over it. The following code snippet from Variant 2 draws the ransom message on the screen:<\/p>\n<p style=\"text-align: center;\"><em>Ransom note creation code in Variant 2.\u00a0RGB (255, 83, 0) is a shade of orange.<\/em><\/p>\n<p>After creating the ransom note, KillDisk starts a thread that keeps the window always on top by using the SetWindowPos() and SetForegroundWindow() APIs with specific arguments. The following code keeps the ransom note on top:<\/p>\n<p style=\"text-align: center;\"><em>The\u00a0HWND_TOPMOST flag places the window above all non-topmost windows, even after the window is deactivated.<\/em><\/p>\n<p><strong>-opt=frc.\u00a0<\/strong>This value triggers the encryption process. Variant 1, the destroyer malware, overrides the files with 0x100 bytes that contain either the string &#8220;mrR0b07&#8221; or &#8220;fS0cie7y,&#8221; both inspired by the TV series &#8220;Mr. Robot.&#8221; The following screenshot shows the infected files:<\/p>\n<p style=\"text-align: center;\"><em>Files infected files by Variant 2.<\/em><\/p>\n<p>Before overwriting the files, the malware ensures that it has full access to the file. To get the access rights, it uses the Windows tool icacls.exe to modify the Access Control Lists for files and folders:<\/p>\n<p style=\"text-align: center;\"><em>Modifying the Access Control List for all files from C drive.<\/em><\/p>\n<ul>\n<li>\/T \u00a0=&gt; \u00a0Traverse all subfolders<\/li>\n<li>\/C \u00a0=&gt; \u00a0Continue on file errors<\/li>\n<li>\/Q =&gt;\u00a0 Quiet, suppress success messages<\/li>\n<li>\/grant<em> user: permission<\/em> =&gt; \u00a0Grant access rights to the user, F: Full access<\/li>\n<\/ul>\n<p>This variant also creates 50MB garbage files (filled with null) on the Windows drive, to fill up the disk space. To keep the garbage files, it creates a folder at the root of the Windows drive with a CLSID name. To hide them from victims, the malware keeps the folder attribute to system hidden.<\/p>\n<p><strong>-opt=cnc.\u00a0<\/strong>This value is used to clean the malware from the system. It uses the ControlService() API to send a stop signal to the service and the QueryServiceConfigA() API to get the file path from the service properties. The malware then deletes the registry entries and service from the system and also deletes the file.<\/p>\n<p><strong>-opt=chk.\u00a0<\/strong>This value is likely to be used during debugging. It checks for the service and registry entries, and then prints accordingly.<\/p>\n<p><strong>-opt=svc.\u00a0<\/strong>This value is given to the application while installing the service. It leads to the execution of the service handler function, registered through the RegisterServiceCtrlHandler() API. While debugging the code, we can see the code that executes commands to ping the local host and then delete itself with the help of the WinExec() API:<\/p>\n<p style=\"text-align: center;\"><em>WinExec() executes commands to ping and delete itself.<\/em><\/p>\n<p>On restarting, this malware deletes itself but it does not remove the service and remains installed.<\/p>\n<p><strong>Unlocking the screen<\/strong><\/p>\n<p>We successfully bypassed the ransom note block screen with the help of \u201cWindows key + tab\u201d feature, which is available in Windows 7 and later versions.<\/p>\n<p>To use this technique, you&#8217;ll need Window 7 or later infected with KillDisk, a keyboard connected to the system, and good eyes. (You have to look carefully.)<\/p>\n<p>Here are the steps to unlock the blocking screen of KillDisk:<\/p>\n<p><strong>Step 1:<\/strong> Press Windows Key + Tab. You will be prompted with the open applications window.<\/p>\n<p><strong>Step 2:<\/strong> Press \u201cWindows Key + D\u201d or switch to the desktop using Step 1.<\/p>\n<p><strong>Step 3:<\/strong> Open \u201crun\u201d using \u201cWindows key + R\u201d and check whether you have the run window using Step 1.<\/p>\n<p><strong>Step 4:<\/strong> Type \u201ccmd\u201d and hit enter. You will get the command prompt; confirm using Step 1.<\/p>\n<p><strong>Step 5:<\/strong> Type \u201ctasklist\u201d and Hit\u00a0enter.<\/p>\n<p><strong>Step 6:<\/strong> Using \u201cWindows Key + Tab,\u201d check the process name on the list. (Good eyes needed.)<\/p>\n<p>Because the malware killed all the other processes, it is likely all the processes will appear in a single command window. If not, change the command prompt size using the following command:<\/p>\n<p><strong>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<\/strong>mode con: cols=Value lines=Value<strong> \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<\/strong> \/\/ Update &#8220;Value&#8221; to fit your display<\/p>\n<p><strong>Step 7:<\/strong> After getting the process list, identify the malware process from the output of tasklist. If you know the malware process name, good. Otherwise you have to check the running processes from the whitelist previously mentioned and select the process that is not on the list. (That will likely be the malware process.)<\/p>\n<p><strong>Step 8:<\/strong> Get the PID of the malware process from the second column of the tasklist output.<\/p>\n<p><strong>Step 9:<\/strong> After getting the malware PID, kill the process using the following command:<\/p>\n<p><strong>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Taskkill \/PID Malware_PID \/F<\/strong><\/p>\n<p>After following these steps successfully, you will get your system back but the files will still be encrypted. This technique might work on other ransomware.<\/p>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p>KillDisk is new to the world of ransomware. It has implemented a whitelisting technique to protect itself. We have discussed its internal working and a way to unlock the screen locked by ransomware.<\/p>\n<p>McAfee products detect all known variants of this malware.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog post was written by Sudhanshu Dubey. At McAfee Labs we recently analyzed the ransomware KillDisk.\u00a0In part 1 of&#8230;<\/p>\n","protected":false},"author":695,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[76,338,180,4549],"coauthors":[4136],"class_list":["post-68533","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-cybercrime","tag-endpoint-protection","tag-malware","tag-ransomware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking | McAfee Blog<\/title>\n<meta name=\"description\" content=\"This blog post was written by Sudhanshu Dubey. At McAfee Labs we recently analyzed the ransomware KillDisk.\u00a0In part 1 of this analysis, we discussed the\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"This blog post was written by Sudhanshu Dubey. At McAfee Labs we recently analyzed the ransomware KillDisk.\u00a0In part 1 of this analysis, we discussed the\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-02-14T07:50:13+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-28T03:29:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/01\/KillDisk-Ransom-note-1024x470.png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking\",\"datePublished\":\"2017-02-14T07:50:13+00:00\",\"dateModified\":\"2025-05-28T03:29:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/\"},\"wordCount\":1396,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"keywords\":[\"cybercrime\",\"endpoint protection\",\"malware\",\"ransomware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/\",\"name\":\"Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"datePublished\":\"2017-02-14T07:50:13+00:00\",\"dateModified\":\"2025-05-28T03:29:34+00:00\",\"description\":\"This blog post was written by Sudhanshu Dubey. At McAfee Labs we recently analyzed the ransomware KillDisk.\u00a0In part 1 of this analysis, we discussed the\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking | McAfee Blog","description":"This blog post was written by Sudhanshu Dubey. At McAfee Labs we recently analyzed the ransomware KillDisk.\u00a0In part 1 of this analysis, we discussed the","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking | McAfee Blog","og_description":"This blog post was written by Sudhanshu Dubey. At McAfee Labs we recently analyzed the ransomware KillDisk.\u00a0In part 1 of this analysis, we discussed the","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2017-02-14T07:50:13+00:00","article_modified_time":"2025-05-28T03:29:34+00:00","og_image":[{"url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/01\/KillDisk-Ransom-note-1024x470.png","type":"","width":"","height":""}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking","datePublished":"2017-02-14T07:50:13+00:00","dateModified":"2025-05-28T03:29:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/"},"wordCount":1396,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"keywords":["cybercrime","endpoint protection","malware","ransomware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/","name":"Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"datePublished":"2017-02-14T07:50:13+00:00","dateModified":"2025-05-28T03:29:34+00:00","description":"This blog post was written by Sudhanshu Dubey. At McAfee Labs we recently analyzed the ransomware KillDisk.\u00a0In part 1 of this analysis, we discussed the","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-killdisk-ransomware-part-2-variants-screen-unlocking\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/68533","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=68533"}],"version-history":[{"count":4,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/68533\/revisions"}],"predecessor-version":[{"id":214505,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/68533\/revisions\/214505"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=68533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=68533"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=68533"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=68533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}