It has been a few months since we have posted a blog regarding disk-wiping and encrypting malware. Since then, a new variant has been released in the wild.
A malware family once reported is now a growing nightmare for computer users. Besides sabotaging and encrypting files and on top of that deleting the files after being re-written, they have added another component to the equation. Once encrypted, they are demanding a huge ransom.
Some people might have already heard of the KillDisk malware and has targeted the industrial sector which had been carried out by Sandworm or TeleBots.
The Sandworm gang is known for its work on the Sandworm malware that targeted and sabotaged industrial control systems (ICS) and supervisory control and data acquisition (SCADA) industrial devices in the US in 2014.
It has been reported previously that KillDisk was used in cyber espionage and cyber-sabotage.
The group named Sandworm Gang later evolved into the TeleBots gang which have developed the TeleBots backdoor trojan and the KillDisk disk-wiping malware.
The KillDisk malware has been making noise from 2015 to 2016 when another gang dubbed the BlackEnergy cyber-espionage group used the malware to attack and sabotage Ukrainian companies activating in the energy, mining, and media sectors.
As of this writing, there is no known connection between BlackEnergy and TeleBots/Sandwork gang.
The malware KillDisk was used recently against Ukrainian banks.
It is a known fact the the TeleBots gang has crippled the operations and activities of several businesses around the world.
The latest attacks were against Ukranian banks via backdoor trojans which bank workers got infected with. What is unique about it is that it uses the Telegram protocol to communicate with its operators.
Their primary objective is to collect as much information from infected systems such as passwords and important files and documents. They would in turn deploy the KillDisk component which deleted crucial system files, replaced them with encrypted copies with unknown file extensions. Thus, rendering the computer unbootable and hide the way they infiltrated the system.
In the recent attacks against Ukrainian banks, the KillDisk malware had also been altered to use the Windows GDI (Graphics Device Interface) and draw a picture inspired by the Mr. Robot TV series, showing the logo of the FSociety hacktivism group, portrayed in the show.
At one point in the TV show, the FSociety group also infected the eCorp bank network with ransomware. The same is now true for the TeleBots gang, who added a ransomware component to KillDisk, as an alternative to disk-wiping operations.
What is surprising is that KillDisk ransomware demands over $215,000 worth of bitcoins.
Why would they do such a thing? It is relatively simple. If they pose as a ransomware attack, they would be able to easily hide their tracks.
Victims would think otherwise that they have been hit by ransomware rather than looking for the TeleBots backdoor trojan or other data exfiltration malware.
What victims normally do is to restore data from backups, or pay the ransom. They are capitalizing on the fact that victims would rather backup or pay and avoid bad publicity from the press.
A message on the infected computer would show that they are asking for a 222 Bitcoin ransom which amounts to roughly $215,000.
Their encryption method is rather robust which encrypts each file with its own AES key, and then encrypting the AES key with a public RSA-1028 key.
To unlock the files, the victim must contact the TeleBots gang via an email address, pay the ransom, and receive the private RSA key that decrypts all the files.
The reason for the huge ransom is that it is a targetted attack which they really plan to extort as much money as they can. This is due to the fact that they would threaten to dump sensitive files they have stolen via their backdoor trojan.
It may or may not reach regular computer user but there is a possibility that it might since computer code is easily modifiable to suit their needs. Consider this as a warning and be very careful not to get infected with it.
