Security Affairs
INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Dreaded KillDisk Malware now includes Ransomware abilities

Researchers at security firm CyberX have recently discovered a variant of the KillDisk malware that also implements ransomware features. KillDisk is a malware that has been used in attacks against industrial control systems (ICS), it was developed to wipe the hard drives of the infected machine in order to make it inoperable. The new variant is […]

Dreaded KillDisk Malware now includes Ransomware abilities

Researchers at security firm CyberX have recently discovered a variant of the KillDisk malware that also implements ransomware features.

KillDisk is a malware that has been used in attacks against industrial control systems (ICS), it was developed to wipe the hard drives of the infected machine in order to make it inoperable.

The new variant is able to encrypt the file with AES algorithm, the malware uses a unique key for each target and encrypt it with an RSA 1028 algorithm with a key stored in the body of the malware.

The variant of the KillDisk malware is able to encrypt a large number of files from both local partitions and network folders are targeted.

Victims are requested to pay 222 bitcoins ($206,000) to recover their files, a very exorbitant figure that suggests the intention of the author is to attack organizations with deep pockets.

The experts believe the variant has been developed by the TeleBots group, a Russian cybercriminal gang that developed its Telebots malware starting from the BlackEnergy one. The group was recently observed by experts from ESET targeting Ukrainian banks.

“This new variant of KillDisk was developed by the TeleBots gang, a group of Russian cybercriminals believed to have evolved from the Sandworm gang. The Sandworm gang is responsible for a string of attacks in the United States during 2014 that compromised industrial control system (ICS) and SCADA networks using a variant of the BlackEnergy malware” states the report published by the CyberX.

The researchers speculate the malware is being distributed via malicious Office attachments, a close look at the contact email used in the instructions reveals that hackers used the Tor anonymous email service lelantos.org.

The Bitcoin Wallet used by the hackers is still empty and there is no indication of past transactions.

KillDisk Malware

CyberX noticed that the same RSA public key is used for all samples of malware it analyzed, this implies that it could be used to decrypt files for all victims.

According to CyberX, the KillDisk malware first elevate its privileges and then registers itself as a service. The malicious code kills various processes, not critical system ones and processes associated with anti-malware applications, to avoid triggering detection.

Stay Tuned

 

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – TeleBots , KillDisk malware)