The threat intelligence team at CyberX has revealed a new version of the KillDisk malware. The malware was responsible for taking out the Ukraine power grid earlier this year. Now it has added ransomware to its arsenal and wants 222 Bitcoins or around $210,000 for the unlock key. The details were unveiled by Phil Neray in a blog on the CyberX website.
The change of focus for KillDisk was discovered when the CyberX engineering team reverse engineered the malware. It discovered a pop-up message asking for the 222 Bitcoins. The infection is spread using malicious Office attachments. It then uses very strong encryption, RSA 1028 Public Key and AES shared key algorithms to lock the files.
How is it spread
Once inside a target company KillDisk targets any drive, local and network, that the user has access to. This means that infecting one user can shut down a number of others. What is not clear is whether it then propagates itself across the network.
Several analysts have said that they expect to see ransomware acquiring the ability to jump from machine to machine. This raises the risk of a user infected at home coming into the office and then infecting other users. Home infection rates are high due to much lower security. Organisations that support BYOD are therefore at a greater risk of a user bringing an attack into the office.
In March, SecureWorks said that its researchers were aware of ransomware only going live after investigating victim’s networks. They claim that this allows the ransomware owner to be more selective about the data they encrypt. Such an approach is interesting. One of the preventative measures that security vendors recommend is honeypot directories. Unless files are regularly added and updated in those directories monitoring will allow ransomware to avoid the trap.
The CyberX blog does not say if KillDisk is researching its victims or if it can spread from machine to machine.
Another Russian cyberattack
CyberX has said that it believes this new version of KillDisk has been developed by TeleBots, a Russian cybercriminal team. It claims that they were previous involved with another hacking group, Sandworm. That group was believed to be responsible for other attacks on US-based organisations in 2014 and the Ukraine power grid. All of those attacks exploited macros inside Microsoft Excel spreadsheets. Microsoft has since patched that vulnerability but this latest version of KillDisk could be exploiting new vulnerabilities.
Five steps industrial organisations can take to protect themselves
The CyberX blog also contains a list of five steps that industrial organisations can take to protect themselves from attack. It includes:
- Ensure OT backup processes are monitored to make sure they’re functioning properly.
- Invest in security awareness training for all employees.
- Segment OT networks as much as possible to prevent malware from spreading.
- Perform continuous risk assessments on OT networks to identify vulnerabilities such as unauthorized Internet and other remote connections, and unpatched devices and systems (for example, CyberX has reported on vulnerable HMIs, industrial firewalls, PLCs, and Industrial Internet of Things (IIoT) devices).
- Continuously monitor all OT network activity in real-time to identify behavioral anomalies indicating the presence of targeted threats and industrial malware.
Last year healthcare was the easy target for ransomware. 2017 looks like it will be manufacturing and industrial organisations. With many countries building out smart metering networks for electricity, gas and water there are plenty of targets. Security around critical infrastructure companies is considered weak by many security analysts. It will be interesting to see who is the first to get hit by this attack.
The blog was published just before the US government expelled 35 Russian diplomats and their families. They are all accused of involvement in attempts to hack the recent US election. That move is likely to result in more cyberattacks on the US from Russian sponsored hacking groups.