W32/KillDisk.NCV!tr
Analysis
W32/KillDisk.NCV!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W32/KillDisk.NCV!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This data wiper malware was first discovered on machines across multiple Ukranian organizations. It is also known as "HermeticWiper" due to it's digital certificate. The malware will disable the Volume Shadow Copy Service (VSS) and modify registry keys to disable crash dumps. It will also adjust token privileges to enable SeBackupPrivilege. It will then traverse through the physical drives, from 0 to 100, and partitions on the victim machine to destroy the data. Upon reboot, a message will appear stating that there is an error loading the operating system.
- Below are images of the malware:
- Figure 1: Digital certificate.
- Figure 2: Disabling VSS.
- Figure 3: Disabling crash dumps.
- Figure 4: Traversing through physical drives 0-100.
- Figure 5: Screen upon reboot after execution of malware.
- Following are some of the near/exact IOCs/file hash associated with this detection:
- Md5: 3f4a16b29f2f0532b7ce3e7656799125
Sha256: 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 - Md5: 84ba0197920fd3e2b7dfa719fee09d2f
Sha256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
- Md5: 3f4a16b29f2f0532b7ce3e7656799125
Outbreak Alert
Malware known as Hermetic (or, FoxBlade) was found by cybersecurity researchers being used against organizations in Ukraine.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |