KillDisk Malware Now a Ransomware, Organizations Should Prepare

KillDisk Malware Now a Ransomware

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

KillDisk malware is now capable of encrypting data. A newly discovered variant of the malware acts like ransomware and demands money in exchange for decryption. KillDisk ransomware was spotted in attacks on industrial control systems, and now researchers are worried that the updated variant will bring ransomware into this sector.

Related: TeleBots Target Ukranian Financial Sector with KillDisk Malware

Threat Summary



Short DescriptionKillDisk malware has been transformed into ransomware, primarily targeting organizations.
SymptomsThe files are encrypted with a combination of AES and RSA 1028.
Distribution Method Exploit kits.
Detection Tool See If Your System Has Been Affected by KillDisk


Malware Removal Tool

User ExperienceJoin our forum to Discuss KillDisk.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

KillDisk Malware Turns into Ransomware: Technical Details

Previous versions of KillDisk were designed to wipe hard drives so that the targeted system is inoperable. The new iteration of the malware was analyzed by industrial cybersecurity firm CyberX. The researchers discovered that the malware-turned-ransomware is using a combination of RSA and AES algorithms.

KillDisk Encryption Process

Each targeted file encrypted via an individual AES key and then all the keys are encrypted using the RSA 1028 key, which is stored in the body of the malware. Basically, researchers were able to conclude that the KillDisk ransomware, or crypto malware, is quite sophisticated and well-written. The newly detected variant shares a lot with the previously detected KillDisk pieces.

What Data Does KillDisk Ransomware Target?

The crypto malware is able to encrypt a range of files, such as documents, databases, source code, disk images, emails, and media files. In addition, both local partitions and network folders are targeted successfully.

The amount of the ransom is 222 Bitcoin which amounts to $210,000. This alone proves that the ransomware operators will be targeting organizations with great financial resources. The email address provided to affected users is connected to Lelantos, a secure, anonymous email provider available through Tor. As for the Bitcoin address provided for payments, no transactions have been detected there.

KillDisk Ransomware Removal

Even though the ransomware may be targeting organizations, it doesn’t mean that it won’t be leveraged in campaigns on home users. Ransomware operators and malware authors have proven to be extremely flexible in transforming their campaigns to fit a range of malicious purposes.

That being said, the manual provided below will guide you through the removal process of any ransomware, KillDisk included. According to your knowledge and experience in malware removal, you can try removing the threat manually or automatically.


Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share