What is KillDisk ransomware? And how does it execute its attack?
KillDisk ransomware, previously known as KillDisk was first developed as a disk wiper. Before, this malware does not have any encryption capabilities however its developers released a new version which could encrypt files. This ransomware infection is extremely dangerous as it is capable of wreaking an operating system and makes the PC unbootable. Because of its destructive feature that paralyzes the system, cyber criminals who created it aimed this destructive malware to big companies.
According to security experts, KillDisk ransomware has been combined with other Trojans like BlackEnergy virtual infection to execute a devastating attack to an energy supply company – the attack resulted to electricity loss on over 1.4 million Ukrainian populations back in December 2015. And by the looks of the new version, it seems that its developers are out for blood or money once again as they have modified this harmful malware making it a file-encrypting threat that does not only encrypts data but also wipes them if victims fail to comply to the cyber crooks’ demands.
Because of its destructive capabilities, cyber criminals have the guts to demand an astonishing ransom amount of 222 Bitcoins which is equivalent to $245707 at the time of writing. This malware employs the RSA 1028 encryption algorithm for encrypting files. Moreover, it also encrypts local hard drives as well as network-mapped folders. After the encryption, it opens a ransom note that reads:
“We are so sorry, but the encryption
of your data has been successfully completed,
so you can lose your data or
pay 222 btc to Q194RXqr5WzyNh9Jn3YLDGeBoJxJBigcF
with blockchain info
contact e-mail: [email protected]”
This file-encrypting and disk-wiping malware were found to be using lelantos.org to cover its tracks. However, security specialists from CyberX suspected that the hackers that go by the name TeleBots might be behind these attacks.
According to security experts, this new variant is also capable of hiding itself as it enters the targeted system. After the successful infiltration, it will copy itself into the memory, deletes the load from the disk and changes its name. It then renames the files’ names randomly before it removes them while the only unscathed files are the ones that are vital to the operating system. After that, it will try to wipe out the disk by overwriting the first 0x20 sectors with 0x00 by reading the MBR which is used to do further damage to the already wrecked system. After 15 minutes, it will shut down the PC by terminating the following processes:
- exe (Windows Start-Up Application)
- exe (Windows Logon Application)
- exe (Local Security Authority Subsystem Service)
- exe (Client/server run-time subsystem)
In addition, KillDisk ransomware makes use of the function called “ExitWindowsEx” to force the computer to restart while the processes wininit.exe and csrss.exe will be the ones to deliver the Blue Screen of Death on the screen which will obviously cause the computer to abruptly restart without any permission from the user.
How does KillDisk ransomware proliferate?
KilllDisk ransomware proliferates just like a typical ransomware threat which is through spam emails except it’s not really your average ransomware infection. According to experts from BedyNet.ru, creators of KillDisk ransomware might disguise the email as something from Office of the Personnel Management (OPM) to lure users into opening them.
Make sure you carefully follow the steps laid out below to wipe out this file-encryption and disk-wiping malware.
Step 1: Reboot your computer into Safe Mode with Command Prompt by pressing F8 a couple of times until the Advanced Options menu appears.
Step 2: Navigate to Safe Mode with Command Prompt using the arrow keys on your keyboard. After selecting Safe Mode with Command Prompt hit Enter.
Step 3: After loading the Command Prompt type cd restore and hit Enter.
Step 4: After cd restore, type in rstrui.exe and hit Enter.
Step 5: A new window will appear, and then click Next.
Step 6: Select any of the Restore Points on the list and click Next. This will restore your computer to its previous state before being infected with the KillDisk Ransomware. A dialog box will appear, and then click Yes.
Step 7: Open Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for the malicious processes of KillDisk Ransomware and end them all.
Step 8: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK to open the list of installed programs. From there, look for KillDisk ransomware or any malicious program and then Uninstall it.
Step 9: Hold down Windows + E keys simultaneously to open File Explorer then go to the directories listed below and then look for the corrupted files such as its ransom note, “READ_ME.txt”created by KillDisk ransomware.
- C:\Users\(your pcname)\AppData\Roaming
Step 10: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 11: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 12: Navigate to the following path:
Step 13: Delete the registry keys and sub-keys created by KillDisk ransomware.
Step 14: Close the Registry Editor and empty your Recycle Bin.
Follow the continued advanced steps below to ensure the removal of the Locky ransomware:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.