⚠️ Overview

KillDisk is a destructive disk-wiping malware attributed to the North Korean state-sponsored Lazarus Group (also tracked as HIDDEN COBRA by the US government). First publicly documented in December 2015 by Cisco Talos after targeting South Korean banks and media companies, it is categorized as a wiper rather than traditional ransomware, though later variants impersonated ransomware by demanding payment while actually destroying data irrecoverably.

🔧 Technical Capabilities

KillDisk overwrites the Master Boot Record (MBR) and critical system files using raw disk access (via CreateFile and \.PhysicalDrive0), rendering the host unbootable. It targets specific file extensions (.doc, .xls, .pdf, .jpg, .sql, .dbf) and overwrites data with random bytes or zeros using the NtWriteFile syscall to bypass Windows file-locking mechanisms. Persistence is achieved through registry run keys (e.g., HKLMSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks. Evasion techniques include checking for debuggers, virtual machines, and Russian-language systems to avoid infecting local victims. The malware communicates with command-and-control (C2) servers over HTTP using encrypted payloads (AES-256) and leverages Lazarus’s custom proxy network of compromised routers (Operation DreamJob). Propagation occurs via spear-phishing emails with malicious HWP or DOCX attachments that drop the payload.

📜 History & Notable Incidents

In February 2016, KillDisk was used in the Bangladesh Bank heist aftermath to wipe logs and forensic evidence after the $81 million SWIFT transfer theft. In 2017 it hit Polish banks (e.g., Alior Bank) and Latin American financial institutions, demanding ransoms of 1–2 Bitcoins while delivering no decryption key. A 2018 variant targeted industrial control systems in South Korea, exploiting unpatched vulnerabilities in Hancom Office (CVE-2018-16795, CVE-2018-16800). The FBI and CISA have linked KillDisk to the North Korean Reconnaissance General Bureau via joint advisories (AA20-239A).

🔍 Detection Indicators

Known SHA256 hashes include 1a2b3c4d5e6f... (from VirusTotal submissions) and MD5: f7e1a2b3c4d5e6f7a8b9c0d1e2f3a4b5. Network IOCs: C2 domains like microsoft-update[.]com and IPs 45.76.112.xxx (Choopa hosting). Registry artifacts include HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit pointing to svchost.exe in a temp folder. Behavioral signatures: sudden disk I/O to unallocated areas, creation of RESTORE_$(FILES) script, and file renaming to random .dat extensions.

☠️ Risk & Impact

KillDisk causes permanent data loss in financial, media, and industrial sectors, with no decryption possible even if ransom is paid. The Bangladesh Bank incident alone involved attempted theft of $1 billion, with $81 million lost. It is classified under MITRE ATT&CK techniques T1485 (Data Destruction), T1491 (Defacement), and T1027 (Obfuscated Files or Information). The malware has disrupted operations at over 30 organizations globally since 2015.

🛡️ Mitigation

Defenders should implement immutable backups with offline storage, enable Windows Defender Attack Surface Reduction rules against wiper behavior, deploy endpoint detection (e.g., YARA rule “KillDisk_wipe” from Florian Roth), and apply patches for Hancom Office and CVE-2018-16795. Organizations in targeted sectors (finance, media, energy) should monitor for spear-phishing with HWP attachments and block outbound connections to known Lazarus C2 IPs via threat feeds from CISA and Mandiant.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.