The Evolution of Wiper Malware into Ransomware
All eyes should be on the Ukraine for more reasons than one. ESET claims they believe that BlackEnergy, the group responsible for attacks against the energy sector in the Ukraine, has morphed into Telebots, and are responsible for a series of attacks against “high value targets” in the financial sector in the Ukraine. The group utilized backdoor trojans and malicious emails. The TeleBots malware is distinctive “because it uses the Telegram protocol to communicate with its operators”. The attackers rendered computers unbootable and hid their tracks using Killdisk to delete critical system files, replace files, and rewrite file extensions. The ESET article offers a very detailed and comprehensive analysis with IOCs, file extensions etc. which I won’t copy over here but highly recommend you look at.
According to Tripwire, “TeleBots is also an evolution of Sandworm, a Russian espionage gang which exploited CVE-2014-4114 to attack NATO and other Western organizations in 2014 and used KillDisk against several Ukrainian power companies in December 2015.” This includes ICS targets in the US in 2014.
And it gets better. Guess what they’re using? Killdisk wiper malware. Because wiper malware means never having to say you’re sorry. But wait – there’s more. It appears Telebots has helped the Killdisk evolve from wiper malware into ransomware, according to researchers with CYberX, a security firm specializing in ICS SCADA. We can expect lucrative extortion attacks against industries, because those are systems that cannot easily be secured or defended. Per Catalin Cimpanu of Bleeping Computer, “KillDisk’s ransomware component makes it easier for the gang to hide its tricks. It also means the group can extort industrial organizations, targets which can’t afford to not access their data or shut down their networks to scrub them of malware.
The ransoms asked are roughly $215,000. Never mind what comes next. Buckle up guys, we’re in for a rough ride.