KillDisk
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1561 | .002 | Disk Wipe: Disk Structure Wipe |
KillDisk overwrites the first sector of the Master Boot Record with “0x00”.(Citation: Trend Micro KillDisk 1) |
Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
KillDisk deletes Application, Security, Setup, and System Windows Event Logs.(Citation: ESEST Black Energy Jan 2016) |
.004 | Indicator Removal: File Deletion |
KillDisk has the ability to quit and delete itself.(Citation: ESET Telebots Dec 2016) |
||
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
KillDisk registers as a service under the Plug-And-Play Support name.(Citation: ESET Telebots Dec 2016) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
(Citation: Booz Allen Hamilton) |
||
G0082 | APT38 |
(Citation: ESET Lazarus KillDisk April 2018) |
G0034 | Sandworm Team |
(Citation: US District Court Indictment GRU Unit 74455 October 2020) (Citation: Secureworks IRON VIKING ) |
References
- Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021.
- Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.
- Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.
- Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.
- Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22
- Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
- Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.
- Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
- Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.