A malware variant previously linked to a hacking group with alleged ties to Russian intelligence has been transformed into a ransomware virus that is now infecting industrial control systems like those found in power plants and water treatment facilities, reports a U.S. cybersecurity firm.
This mutated version of KillDisk — malware that is capable of quickly destroying large troves of data — was first discovered in the wild by CyberX, which is based in Framingham, Massachusetts.
In its original form, KillDisk was first found in the aftermath of a historic data breach against three separate Ukrainian power companies — causing systems to malfunction and cut power to thousands of homes. In that case, KillDisk was deployed to specifically wipe computers that were used by Ukrainian operators in each facility’s command and control center.
CyberX found evidence that KillDisk ransomware was able to infect industrial control systems through targeted phishing emails and malicious attachments. Co-founder Nir Giller declined to discuss the names of organizations where the malicious code had been found.
In January 2016 FireEye security researchers attributed the Ukraine power-grid hack, and thus KillDisk, to a Russian hacking group dubbed Sandworm. Sandworm is an advanced persistent threat, or APT, that is believed to be well-funded, highly skilled and likely aligned with Russian geopolitical interests.
Recently, several of Sandworm’s unique hacking tools reemerged in hacking operations aimed at Ukrainian financial and political organizations, John Hultquist, iSight’s director of espionage analysis, previously told CyberScoop based on digital forensic evidence.
The discovery of KillDisk in a new ransomware campaign fits into a broader trend of increased Sandworm activity after what iSight analyst Sean McBride described as a relatively dormant period between February and early November 2016.
At the moment, there is no existing evidence to suggest that KillDisk’s source code has become openly available, said Giller. In other words, KillDisk is understood to be unique to Sandworm and one potential offshoot of the group, dubbed Telebots. Hultquist said that Sandworm and Telebots are the same thing.
With that being said, it remains possible that KillDisk’s code could have been shared in some other way with a non-nation-state actor to launch an independent attack, according Giller, a former member of an elite Israeli Defense Force cyber unit. It’s not uncommon to see a sophisticated software exploit, originally developed by a nation state, make its way into the hands of cyber criminals.
Giller said he is unsure exactly when the aforementioned ransomware campaign began and who is behind it.
Once infected, the KillDisk ransomware will cause a pop up to appear on a victim’s computer that reads “We are so sorry, but the encryption of your data has been successfully completed so you can lose your data or pay 222 btc [$210,000 in BitCoin currency].”
Ransomware campaigns against power companies are not a new phenomenon though these cases are typically harder to come.
In 2015, the Lansing Board of Water & Light paid a $25,000 ransom to unlock their internal communications systems after a cyberattack disabled company computers, the Lansing State Journal reported. Executives at the Lansing power company estimated that responding to the emergency, including both paying the ransom and to install technology upgrades, ultimately cost them roughly $2.4 million.