Ransomware Attackers Target the Industrial Sector with KillDisk Variant

Throughout 2016, ransomware gangs have targeted the healthcare sector with increased rigor. However, a new ransomware variant has been developed that is being used to attack industrial companies.

The new threat does not permanently lock files as with other ransomware variants. Companies are threatened with full disk deletion if they do not pay the ransom, and the ransomware is capable of doing just that.

The malware variant used for the attacks is a tweaked version of KillDisk. KillDisk, as the name suggests, is a malware that deletes the entire contents of hard drives. KillDisk has previously been used with BlackEnergy malware to target industrial companies, most notably perhaps, energy companies in Ukraine.

The latest ransomware attacks are believed to have been conducted by malicious actors from the Sandworm group operating under the name TeleBots. Sandworm was responsible for SCADA system attacks in 2014 and a number of attacks on energy companies in Ukraine between December 2015 and January 2016.

TeleBots have branched out and have started attacking financial companies in Ukraine with KillDisk according to ESET; however, a recent report from CyberX indicates the group is now using the tweaked KillDisk to extract sizable ransom payments from their victims. One of the most recent ransomware attacks involved a ransom demand of an astonishing 222 Bitcoin – approximately $206,000 being demanded.

The ransomware is believed to be spread via malicious emails containing infected Microsoft Office documents. Infection with the ransomware sees the hard drives of local machines and network-mapped folders encrypted with RSA1028 and AES algorithms. There is no known decryptor for the infection.

While energy companies appear to be in the attackers’ targets, so too are chemical companies throughout Eastern Europe. Both sets of targets are likely to pay the ransom demands even though they are extortionate. If the attackers succeed in encrypting files that are required for industrial processes, this could cause major disruption to energy output and in the case of chemical companies, could affect the quality of products produced. Both would have severe financial implications, far in excess of a $200,000 ransom payment.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news