KillDisk-Dimens Ransomware

Posted: January 25, 2018

The KillDisk-Dimens Ransomware is a version of the KillDisk Ransomware that's targeting financial organizations within South America. While the Trojan retains its data-destroying capabilities, the KillDisk-Dimens Ransomware isn't creating ransom notes to try to profit from these attacks currently. Backing up your media, monitoring your network's security protocols, and having advanced anti-malware software able to delete the KillDisk-Dimens Ransomware on sight are the forms of protection that all potential targets should utilize.

South American Disks that are Ripe for the Killing

The KillDisk Ransomware has been through some iterations, including ones in early campaigns that, most infamously, attacked multiple, Ukrainian industries with the help of the BlackEnergy rootkit. While it's accomplishing a lot, as it is, threat actors are still interested in deploying it in new campaigns. The latest attack of this type uses the KillDisk-Dimens Ransomware, a variant that malware experts only are identifying as being operational in Latin America.

The KillDisk-Dimens Ransomware does have most of the features that define the old KillDisk Ransomware and destroys data with little to no possibility of recovery directly. However, there are some differences in the KillDisk-Dimens Ransomware, which malware experts find suggestive of its being, yet again, paired with additional threats. These changes include:

The KillDisk-Dimens Ransomware always drops in the same Windows folder with the name of 'dimens.exe.' However, since it also includes a self-renaming feature for disabling itself afterward, victims are unlikely of being able to find this file without any preemptive interception from their anti-malware products. The renamed file is '0123456789,' and has no extension.
Although the program does overwrite and erase the PC's files securely, the KillDisk-Dimens Ransomware does so with a slightly different technique than that of the original KillDisk Ransomware. The KillDisk-Dimens Ransomware searches all drives from B onward, including removable ones, and excludes some Windows installation folders, such as 'Windows,' 'Program Files,' 'Users' and the Recycle Bin. The Trojan also overwrites portions of the MBR and includes variable behavior, depending on whether or not it finds an extended partition.
The last, and oddest feature of the KillDisk-Dimens Ransomware is the lack of the 'ransom note' screen that the previous threat uses. This change implies that the KillDisk-Dimens Ransomware's threat actors aren't operating for financial reasons or have other ways of monetizing their attacks.

Keeping the Killing from Reaching Your Network

The hard-coded aspects of the KillDisk-Dimens Ransomware mean that it's more likely than not that other threats are dropping and running it, even though the KillDisk-Dimens Ransomware's system damage could make the long-term security implications less pertinent than usual. Once it finishes its file-deleting routine, the KillDisk-Dimens Ransomware uses several methods for forcing a reboot on the PC, including terminating some essential Windows features and provoking 'Blue Screens of Death' forcibly. These symptoms are dependent on a fifteen-minute delay timer.

The KillDisk-Dimens Ransomware may dispense with the tactic of pretending to ransom your files, but the data loss from any unimpeded the KillDisk-Dimens Ransomware infection remains severe. Companies can protect their networks by restricting file access between PCs, as appropriate, maintaining their backups, and using aggressive firewall protocols. Disinfection procedures always should include using anti-malware programs, not just for deleting the KillDisk-Dimens Ransomware, but also for dealing with the high chances of the presence of one or more related Trojans.

It's not always possible to make up for mistakes in PC security. With threats like the KillDisk-Dimens Ransomware in the wild, opening the wrong e-mail with no protection is an incredibly easy way to destroy multiple servers' worth of media.