The KillDisk disk-wiper program that was used in conjunction with BlackEnergy malware to attack Ukrainian energy utilities has evolved into ransomware that may be targeting industrial-control networks.
According to researchers at CyberX, the new variant was developed by the TeleBots cybergang, which recently emerged from the Sandworm threat group that is believed to have disrupted the Ukrainian power grid offline in December 2015 and January 2016, and allegedly compromised U.S. industrial-control systems and SCADA systems in 2014. Earlier this year, ESET researchers reported that TeleBots was a using different version of KillDisk to conduct cybersabotage attacks against the Ukrainian financial sector.
In a blog post on Tuesday, CyberX reported that the ransomware variant is distributed via malicious Office attachments and displays a pop-up message demanding 222 Bitcoins, which is currently the equivalent of approximately $206,000. The variant’s exorbitant ransom and its link to Sandworm suggests that the group could be actively launching ransomware attacks against industrial-control networks.
KillDisk uses a mix of RSA 1028 public key and AES shared key algorithms to encrypt local hard-drives and network-mapped folders that are shared across organizations, CyberX further reported.