KillDisk Ransomware Removal Guide

All ransomware infections are dangerous, destructive, and annoying, but few of them are as aggressive as the recently discovered KillDisk Ransomware. This malicious infection is similar to HDD Encrypt Ransomware, Mischa Ransomware, and Petya Ransomware in a sense that it might affect the entire PC, not just the files found on it. According to our malware researchers, there are at least two different versions of this malicious infection. One of the versions performs like any other regular ransomware by encrypting files and introducing its victims to a ransom note that demands a ridiculous amount of money for the alleged decryption services. The second version of this ransomware has been seen to damage the operating system by wiping the hard drive. Obviously, if you face the latter version of this threat, there is not much you can do. So, is there a way to reverse the damage? How can you remove KillDisk Ransomware? And, how can you protect your operating system from it in the future? These questions are answered in our report.

It appears that the first version of the malicious KillDisk Ransomware was the one capable of affecting the hard drives and rendering the infected machines inoperable. This version of the threat is believed to be specifically targeted at industrial control systems, with recorded attacks over the Ukrainian energy sector. According to the latest information, the attackers are likely to distribute the ransomware using an Excel document with a macro. When the targeted victim enables macros, a malicious file is dropped. In the instance we have analyzed, the file was called “explorer.exe”, but the file could have a different name. The file represents a Trojan downloader written in Rust (a programming language), and its main purpose, of course, is to infiltrate other pieces of malware. To conceal its malicious activity, the Trojan can take data from a hardcoded URL that links to a text file that acts as the final payload encrypted using the Base64 algorithm. The backdoor – which is the payload – enables the attacker to use different tools that allow collecting sensitive data and executing malware, such as the KillDisk Ransomware.

The first version of the KillDisk Ransomware is meant to disrupt systems, and it is likely to be targeted at big organizations. The second version, on the other hand, operates in a more “traditional” sense, and it encrypts files with the expectation of collecting money for a decryptor. According to the ransomware note, the victim must pay a ransom of 222 Bitcoins, which is a ridiculous sum. At the moment, based on current conversion rates, this sum translates to nearly 239,000 USD or 226,000 Euro. Clearly, this ransomware is also targeted at big organizations because regular users would never be able to pay that kind of money. The victims are also provided with an email address that is registered with the anonymous email service, lelantos.com, which can only be accessed via the Tor Browser. It is believed that KillDisk Ransomware encrypts all files using the same encryption key, which would suggest that the same decryption key or private key) could be used by all victims. We have yet to confirm this, but if a decryption key emerges, we will update this report as soon as possible.

KillDisk Ransomware is not a regular threat, and its removal is not regular either. If this ransomware encrypts files, it is likely that the victim will not be able to decrypt them unless a decryption key is found or if the ransom fee is paid, although that is not a given either. If the ransomware wipes the hard drive, the only option would be to hook up the hard drive to a malware-free computer and employ file recovery software. Of course, the chances of having the files recovered successfully are very slim. If the computer is not compromised, the victim might be able to delete the malicious executable launched via the Excel document. In any case, it is strongly recommended to reinstall Windows if KillDisk Ransomware has corrupted the operating system because this infection is incredibly malicious, and sensitive data is at serious risk as long as at least one of its components remains active. To protect operating systems against such malware, strong, up-to-date security software must be activated at all times.

KillDisk Ransomware Removal

N.B. These removal steps might help when the ransomware displays the ransom note. Notably, the files will remain encrypted even if one removes KillDisk Ransomware successfully.

1. Locate the malicious executable that might be named explorer.exe.
2. Right-click the file and select Delete.
3. Scan the operating system to look for potential leftovers, including a Trojan downloader.