KillDisk Malware Now a Ransomware, Organizations Should Prepare

KillDisk Malware Now a Ransomware

KillDisk malware is now capable of encrypting data. A newly discovered variant of the malware acts like ransomware and demands money in exchange for decryption. KillDisk ransomware was spotted in attacks on industrial control systems, and now researchers are worried that the updated variant will bring ransomware into this sector.

Related: TeleBots Target Ukranian Financial Sector with KillDisk Malware

Threat Summary



Short DescriptionKillDisk malware has been transformed into ransomware, primarily targeting organizations.
SymptomsThe files are encrypted with a combination of AES and RSA 1028.
Distribution Method Exploit kits.
Detection Tool See If Your System Has Been Affected by KillDisk


Malware Removal Tool

User ExperienceJoin our forum to Discuss KillDisk.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

KillDisk Malware Turns into Ransomware: Technical Details

Previous versions of KillDisk were designed to wipe hard drives so that the targeted system is inoperable. The new iteration of the malware was analyzed by industrial cybersecurity firm CyberX. The researchers discovered that the malware-turned-ransomware is using a combination of RSA and AES algorithms.

KillDisk Encryption Process

Each targeted file encrypted via an individual AES key and then all the keys are encrypted using the RSA 1028 key, which is stored in the body of the malware. Basically, researchers were able to conclude that the KillDisk ransomware, or crypto malware, is quite sophisticated and well-written. The newly detected variant shares a lot with the previously detected KillDisk pieces.

What Data Does KillDisk Ransomware Target?

The crypto malware is able to encrypt a range of files, such as documents, databases, source code, disk images, emails, and media files. In addition, both local partitions and network folders are targeted successfully.

The amount of the ransom is 222 Bitcoin which amounts to $210,000. This alone proves that the ransomware operators will be targeting organizations with great financial resources. The email address provided to affected users is connected to Lelantos, a secure, anonymous email provider available through Tor. As for the Bitcoin address provided for payments, no transactions have been detected there.

KillDisk Ransomware Removal

Even though the ransomware may be targeting organizations, it doesn’t mean that it won’t be leveraged in campaigns on home users. Ransomware operators and malware authors have proven to be extremely flexible in transforming their campaigns to fit a range of malicious purposes.

That being said, the manual provided below will guide you through the removal process of any ransomware, KillDisk included. According to your knowledge and experience in malware removal, you can try removing the threat manually or automatically.

Manually delete KillDisk from your computer

Note! Substantial notification about the KillDisk threat: Manual removal of KillDisk requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove KillDisk files and objects
2.Find malicious files created by KillDisk on your PC

Automatically remove KillDisk by downloading an advanced anti-malware program

1. Remove KillDisk with SpyHunter Anti-Malware Tool and back up your data
Optional: Using Alternative Anti-Malware Tools

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys ‘Mr. Robot’ and fears ‘1984’.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.