The presentattion is meant to undertsand what is killdisk and how it was used as a weapon in Ukraine power outage attack.

1. KillDisk and its
use in hacks in
Ukraine

2. ❏ A quality security application that destroys data permanently from any computer .
❏ Access drive’s data on physical level via BIOS.
❏ Regardless of the OS, file systems or type of machine, it can destroy all data on all
storage devices.
❏ Can be installed on the system or booted from a disk as well, which allows to clean
the hard drive that has os installed to it.
❏ Support 24 International data sanitization methods.
What is KillDisk?

3. ❏ Bootable version allows to erase whole drive at once but have a text only
interface.
❏ Installable version allows to erase things like flash drive and other internal hard
drives and has a GUI.
❏ In order to use KillDisk from outside the OS, select the partition to wipe and
press F10 to start.
❏ To run the KillDisk like a regular program open the Active KillDisk program.
❏ Bootable version can be created from the pre installed program using “Boot
Disk Creator” option.
KillDisk-Comparing the two ways

4. ❏ Disk Erase (complete all disk's surface sanitation) for HDDs, SSDs, USBs.
❏ Supports preliminary Disk Examination for bad sectors.
❏ Displays Disks health diagnostics via S.M.A.R.T info and sectors inspection in
advanced Disk Editor.
❏ Supports batch operations.
❏ Allows disk cloning after erase.
❏ Ability to start from Bootable CD/DVD or LiveUSB and erase disks on any
PC.
❏ Mapping network shares
❏ Changing disk serial number
Features

5. ❏ Sound notifications for completed erase jobs with different results.
❏ Auto hibernate or shutdown the system after all jobs are completed.
❏ Supports verification, PDF Certificates & XML reports, emailing results, reports
customization.
❏ Disk Wipe sanitation of unused clusters on live volumes for most file systems.
❏ Freeware or Demo product version provided for evaluation.
❏ Pricing :
Software KillDisk - $39.95/license,
Desktop KillDisk - $1900/box,
Industrial KillDisk - $350
Features

6. Erase Methods

7. Supports 24 International sanitation methods :
❏ One Pass Zeros:
Number of passes is fixed and cannot be changed.
When the write head passes through a sector, it writes only zeros or a series of
random characters.
❏ US DoD 5220.22-M:
Write head passes over each sector three times.
The first time with zeros (0x00), second time with 0xFF and the third time with
random characters.
❏ Canadian OPS - II:
Write head passes over each sector seven times (0x00, 0xFF, 0x00, 0xFF, 0x00,
0xFF, Random). There is one final pass to verify random characters by reading.
Erase Methods

8. ❏ Russian GOST p50739-95:
Write head passes over each sector two times. (0x00, Random).
There is one final pass to verify random characters by reading.
❏ NSA 130-2:
Write head passes over each sector two times (Random, Random).
There is one final pass to verify random characters by reading.
❏ User Defined:
User indicates the number of times the write head passes over each sector.
Each overwriting pass is performed with a buffer containing random characters.
Erase Methods

9. The Erase Preferences tab allows for users to configure settings for the KillDisk
erase procedures.
❏ Select entire disk
❏ Select exact area
❏ Erase method
❏ Erase verification
❏ Initialize after erase
❏ Write fingerprint
❏ Erase confirmation
Disk Erase Options

10. The disk wipe procedure, like with the erase procedure, allows you to specify the
erase method used, as well as a few additional wipe-specific options.
❏ Entire disk wiped
❏ All volumes will be selected for wipe operation
❏ All unallocated space will be wiped
❏ Select a single partition to be wiped
❏ Erase method
❏ Erase verification
❏ Wipe unused cluster
❏ Wipe metadata and system files area
❏ Wipe slack space in file clusters
Disk Wipe Options

11. ❏ DBAN
❏ HDShredder
❏ HDDErase
❏ Disk Wipe
❏ CBL Data Shredder
❏ Macrorit Data Wiper
Other players in the market

12. Ukraine Power Grid Cyber Attack
Source: https://www.youtube.com/watch?v=bV47gBsrDkc&feature=youtu.be

13. 23 December 2015
First known successful cyber attack on
power grid
Coordinated multi-part attack on a
number of regional power distribution
centers in the region.
Compromised information systems of
three energy distribution companies in
Ukraine
Ukraine Power Grid Cyber Attack

14. IMPACT:
❏ Blackout in a whole geographic area of Ukraine
❏ More than 50 substations went offline
❏ Service outage to customers
❏ More than 80,000 homes remained without electricity
for a period of 1-6 hours
❏ Telephone lines were attacked preventing customers
from reporting outage
Ukraine Power Grid Cyber Attack

15. Cyber Attack : Potential Scenario

16. ❏ KillDisk overwrote critical system files on operator machines
❏ causing them to crash and become inoperable
❏ KillDisk overwrites the master boot record
❏ the infected computers could not reboot
❏ KillDisk components had to be manually set,but
❏ the attackers used a logic bomb that launched KillDisk
automatically about 90 minutes into the attack
Role of KillDisk in Ukraine Attack

17. KillDisk as a malware
❏ First known use of KillDisk Malware was reported by CERT
Ukraine in November 2015
❏ News media companies were attacked at the time of the
2015 Ukrainian local elections
❏ A large number of video materials and various documents
were destroyed as a result of the attack

18. KillDisk as a ransomware
Lately:
❏ KillDisk disk wiper malware is back with new variants - Killdisk
Ransomware
❏ Targeting Windows and Linux Machines and servers
❏ Data encrypted
❏ Demands for unusually large ransom in Bitcoins
For Linux Systems:
❏ Encryption key is not stored anywhere on disk/server
❏ Even after paying ransom, one might not get decryption key

19. KillDisk as a ransomware
FBI advises - Pay off the criminals to get your files back if you don't have a backup

20. ❏ KillDisk is a data sanitization tool capable of
❏ destroying 4000 different file types
❏ rendering machine unbootable
❏ killing processes and services on a server
❏ wiping off the whole hard disk
❏ Thus apparently,KillDisk is a data destroying parasite
❏ Categorised as an anti-forensic tool
❏ Only way to be safe is prevention
KillDisk : Conclusion

21. ❏ Awareness within the organizations
❏ Regular backups
❏ Do not click on links provided in emails
❏ Do not open attachments from unknown sources
❏ Updated Antivirus Software
KillDisk : Prevention measures

22.  https://www.lifewire.com/killdisk-review-2619139
 http://www.killdisk.com/downloads/killdisk.pdf
 https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack
 https://www.makeuseof.com/tag/ukraines-power-grid-hacked-happen/
 https://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-
attacks-ukrainian-electric-power-industry/
 https://www.wired.com/2016/01/everything-we-know-about-ukraines-power-
plant-hack/
 https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-
power-grid/
 https://thehackernews.com/2016/01/Ukraine-power-system-hacked.html
 https://thehackernews.com/2017/01/linux-ransomware-malware.html
References