S0607: KillDisk
KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.[1][2][3][4]
Analyst context for executives and security teams
KillDisk matters because it is destructive malware: its purpose is to overwrite files with random data and make operating systems unbootable. For leaders, this shifts the conversation from malware cleanup to business continuity, recovery readiness, and whether critical Windows and Linux systems can be restored fast enough after intentional destruction. Its ATT&CK relationships also connect it to ICS disruption, including the 2015 Ukraine Electric Power Attack, so organizations with operational technology dependencies should treat it as a resilience and incident-response planning issue, not only an endpoint alerting issue.
Executive priority
Prioritize validation of destructive-malware readiness: immutable or offline backups, tested bare-metal or critical-system recovery, privileged access control, segmentation between enterprise and operational environments, and evidence that SOC/IR teams can recognize pre-impact behaviors such as discovery, service stopping, file deletion, shutdown/reboot activity, and disk-structure wiping. The key business question is whether the organization can maintain or restore essential services if endpoints or operational support systems are rendered unbootable.
Technical view
ATT&CK lists KillDisk for Linux and Windows and relates it to destructive and impact behaviors including Data Destruction, Disk Structure Wipe, Data Encrypted for Impact, Service Stop, and System Shutdown/Reboot, plus discovery and stealth behaviors such as Process Discovery, File and Directory Discovery, Local Storage Discovery, File Deletion, Obfuscated Files or Information, Masquerade Task or Service, Native API, Shared Modules, and Access Token Manipulation. SOC teams should validate visibility across endpoint process execution, service control, filesystem changes, disk/volume access, reboot or shutdown commands, module loading, and privileged security-context changes. In ICS-adjacent environments, detection and response should also account for Loss of View and the possibility that host destruction can force manual operator intervention or impair operational visibility.
Likely telemetry
- Endpoint process creation and command execution on Windows and Linux systems
- Service creation, modification, stop, or disable events, including suspiciously named or masqueraded services/tasks
- File deletion, high-volume overwrite, and abnormal filesystem activity
- Disk, volume, boot structure, MBR, partition table, or raw device access telemetry where available
- System shutdown and reboot events
Detection direction
- Because ATT&CK provides no official detection text for KillDisk, build coverage from the related techniques rather than from a single malware signature.
- Tune for behavior chains: discovery of processes/files/storage followed by service stops, destructive file or disk writes, file deletion, or shutdown/reboot activity.
- Validate that alerts still reach the SOC if the affected host becomes unbootable; local-only logs are a major blind spot for destructive malware.
- Hunt for suspicious task or service names that imitate legitimate services, especially when paired with destructive or recovery-inhibiting activity.
- Separate legitimate administrative maintenance from suspicious activity using change windows, privileged user context, asset criticality, and whether actions occur across multiple systems.
Mitigation priorities
- Start with recovery: maintain offline or immutable backups and regularly test restoration of critical Windows, Linux, and operational support systems.
- Limit destructive reach by reducing standing administrative privileges and enforcing strong privileged-access workflows for systems that can affect availability.
- Segment enterprise and operational environments so destructive activity on IT systems is less likely to impair ICS visibility or operations.
- Harden and monitor critical services so unauthorized service stops, disables, or masqueraded services are detected and investigated quickly.
- Centralize security logging off-host and protect telemetry pipelines from local file deletion or disk wiping.
Analyst notes and limits
KillDisk is documented by ATT&CK as a disk-wiping tool first observed as part of BlackEnergy activity against Ukraine in 2015, later evolving into stand-alone malware used by multiple threat actors, with some variants incorporating a ransomware component. ATT&CK relationships associate it with the 2015 Ukraine Electric Power Attack, Sandworm Team, APT38, and multiple Enterprise and ICS techniques. These relationships justify focusing on destructive impact, recovery, and cyber-physical visibility risks, but local applicability depends on the organization’s platforms, exposure, and operational dependencies.
The supplied ATT&CK object has no official detection guidance and no listed tactics on the malware object itself. Technique relationships provide useful defensive direction, but they do not prove current exposure, active exploitation, or detection coverage in any specific environment. Platform assertions should be limited to the supplied KillDisk platforms, Linux and Windows, unless local evidence shows other affected systems.
KillDisk
KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | KillDisk has used the |
| Enterprise | T1106 | Native API | KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine.CitationTrend Micro KillDisk 1 |
| Enterprise | T1680 | Local Storage Discovery | KillDisk retrieves the hard disk name by calling the |
| Enterprise | T1129 | Shared Modules | KillDisk loads and executes functions from a DLL.CitationTrend Micro KillDisk 1 |
| Enterprise | T1057 | Process Discovery | KillDisk has called |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | KillDisk deletes Application, Security, Setup, and System Windows Event Logs.CitationESEST Black Energy Jan 2016 |
| Enterprise | T1027 | Obfuscated Files or Information | KillDisk uses VMProtect to make reverse engineering the malware more difficult.CitationTrend Micro KillDisk 1 |
| Enterprise | T1489 | Service Stop | KillDisk terminates various processes to get the user to reboot the victim machine.CitationTrend Micro KillDisk 2 |
| Enterprise | T1529 | System Shutdown/Reboot | KillDisk attempts to reboot the machine by terminating specific processes.CitationTrend Micro KillDisk 2 |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | KillDisk overwrites the first sector of the Master Boot Record with “0x00”.CitationTrend Micro KillDisk 1 |
| Enterprise | T1486 | Data Encrypted for Impact | KillDisk has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted.CitationKillDisk Ransomware |
| Enterprise | T1070.004 | File Deletion Sub-technique | KillDisk has the ability to quit and delete itself.CitationESET Telebots Dec 2016 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | KillDisk registers as a service under the Plug-And-Play Support name.CitationESET Telebots Dec 2016 |
| Enterprise | T1134 | Access Token Manipulation | |
| Enterprise | T1485 | Data Destruction |
Groups, software, and campaigns
G0082: APT38
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
C0028: 2015 Ukraine Electric Power Attack
2015 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used BlackEnergy (specifically BlackEnergy3) and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 896025661808… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
KillDisk Ransomware
Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021.
Open source URL -
[2]
ESEST Black Energy Jan 2016
Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.
Open source URL -
[3]
Trend Micro KillDisk 1
Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.
Open source URL -
[4]
Trend Micro KillDisk 2
Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.
Open source URL -
[5]
mitre-attack S0607Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.