In late 2016, a new ransomware variant emerged which is now being used in attacks on industrial companies. Unlike other ransomware variants, the new malware does not permanently lock users’ files. Victims have been threatened with full disk deletion should they fail to pay the ransom, and it has been confirmed that the ransomware has the capability to do exactly that.
The variant that is being used by the attackers is a modified version of KillDisk. KillDisk is a malware that totally deletes the contents of hard drives. KillDisk has formerly been used with BlackEnergy malware in attacks which primarily targeted energy companies in Ukraine.
The most recent ransomware attacks are thought to have been carried out by criminals, who operate under the name TeleBots, from the Sandworm group. Sandworm executed SCADA system attacks during 2014 and several attacks against Ukranian energy companies from December 2015 to January 2016.
According to ESET, TeleBots have expanded their “operations” (so to speak) in recent months and have begun carrying out attacks on financial companies in Ukraine with KillDisk; a further report from CyberX has indicated that the group has been using the modified KillDisk to obtain significant ransom payments from their targets. A recent ransomware attack resulted in a quite shocking 222 Bitcoin (around $206,000) being demanded.
It is thought that the ransomware is being spread through emails which include infected Microsoft Office documents. When infected, the hard drives of local computers together with network-mapped folders are encrypted with RSA1028 and AES algorithms. Presently there is no decryptor available to resolve the infection.
Even though energy companies appear to be the attackers’ primary targets, chemical companies in Eastern Europe are also at risk. Both chemical and energy companies are highly likely to make the ransom payments despite the amounts being extortionate. In the case of energy companies, should the attackers successfully encrypt files that are necessary for essential industrial processes, it could cause significant disruption to energy production. For chemical companies, such encryption could drastically impact the quality of products. Clearly the two scenarios would have enormous financial implications, dwarfing the $200,000 ransom payment demanded.