Wednesday, April 16, 2025
HomeMalwareSelf-Destructive KillDisk Malware Overwrites then Deletes files and Force a Reboot

Self-Destructive KillDisk Malware Overwrites then Deletes files and Force a Reboot

Published on

SIEM as a Service

Follow Us on Google News

A new variant of disk-wiping KillDisk malware affecting Windows machine attempts to overwrite and deletes files. Security researchers from TrendMicro detected it as TROJ_KILLDISK.IUB.

The new variant found targetting Financial organizations in Latin America does not include a ransom note as like Petya or WannaCry. Recovering the scrambled files in question because it wipes out the disk and doesn’t store the encryption keys on disk or online.

KillDisk malware used in various cyber attacks against energy sector, banking, rail, and mining industries. TrendMicro published an Initial analysis of this threat.

- Advertisement - Google News

Also Read Critical Flaw in Popular BitTorrent Transmission Client Leads to an Attacker Perform Remote Hack into Your PC

How it enters and delete files

Its file path is hardcoded and could be dropped intentionally by the attacker or any other process.The new variant goes through all the logical drives mounted(fixed and removable). With system directory, it exempted following files from deletion.

WINNT
Users
Windows
Program Files
Program Files (x86)
ProgramData
Recovery (case-sensitive check)
$Recycle.Bin
System Volume Information
old
PerfLogs

“Before a file is deleted, it is first randomly renamed. KillDisk will overwrite the first 0x2800 bytes of the file and another block that’s 0x2800-bytes big with 0x00”.

KillDisk

Disk Wiping

The malware attempts to wipe \\.\PhysicalDrive0 to \\.\PhysicalDrive4 and then it reads the information available with the Master Boot Record (MBR) and does further damage to the partitions.

“If the partition it finds is not an extended one, it overwrites the first 0x10 and last sectors of the actual volume. If it finds an extended partition, it will overwrite the Extended Boot Record (EBR) along with the two extra partitions it points to” TrendMicro said.

Forcing a Reboot – KillDisk

It consists of a numeric parameter which indicates the number of minutes(15 minutes) it will wait before shutting down the affected machine.

And it certainly can be done by tricking the user into restarting the machine or forcing a restart.It also uses the ExitWindowsEx function to forcefully restart the machine.

It will terminate the following process to restart the machine.

Client/server run-time subsystem (csrss.exe)
Windows Start-Up Application (wininit.exe)
Windows Logon Application (winlogon.exe)
Local Security Authority Subsystem Service (lsass.exe)

IOC- Hash (SHA-256):

  • 8a81a1d0fae933862b51f63064069aa5af3854763f5edc29c997964de5e284e5 — TROJ_KILLDISK.IUB
Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Microsoft Teams File Sharing Unavailable Due to Unexpected Outage

Microsoft Teams users across the globe are experiencing significant disruptions in file-sharing capabilities due...

Cloud Misconfigurations – A Leading Cause of Data Breaches

Cloud computing has transformed the way organizations operate, offering unprecedented scalability, flexibility, and cost...

Security Awareness Metrics That Matter to the CISO

Security awareness has become a critical component of organizational defense strategies, particularly as companies...

New ‘Waiting Thread Hijacking’ Malware Technique Evades Modern Security Measures

Security researchers have unveiled a new malware process injection technique dubbed "Waiting Thread Hijacking"...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New ‘Waiting Thread Hijacking’ Malware Technique Evades Modern Security Measures

Security researchers have unveiled a new malware process injection technique dubbed "Waiting Thread Hijacking"...

PasivRobber Malware Emerges, Targeting macOS to Steal Data From Systems and Apps

A sophisticated new malware suite targeting macOS, dubbed "PasivRobber," has been discovered by security...

Unmasking Xworm Payload Execution Path through Jailbreaking a Malicious JScript Loader

Security researchers are analyzing a sophisticated malware delivery mechanism that uses a JScript loader...