Delaware, USA – January 16, 2018 – Researchers from Trend Micro have discovered a new version of KillDisk, which attacks financial institutions in Latin America. KillDisk is a disk-wiping tool in the arsenal of the infamous SandWorm hacker group. It was used in BlackEnergy campaign and over time, attackers modified this wiper to disguise it as Ransomware. But in the last uncovered attacks, this malware did not include a ransom note. Researchers continue to study the detected malware, and it is not yet known how it infects systems. Presumably, KillDisk is part of other malware and, as it was in the BlackEnergy campaign, serves to eliminate traces of group’s criminal activity. Malware renames files randomly and overwrites parts of files with 0x00 before deleting and then scans and rewrites MBR.
So far, researchers are at a loss to define threat actor behind these attacks and what goals are pursued by adversaries. It is necessary to make sure that backup process is appropriately implemented in your organization, as well as monitor suspicious activity on the network. The last attacks target Windows-based systems, so you can use the Windows Security Monitor SIEM use case to monitor security events and detect suspicious patterns.