Threat Research

Cyble – Pro-Russian Hacktivists Targeting Adversaries With Killnet Ransomware

Securonix

Cyble researchers uncovered a data-destructive ransomware tied to the pro-Russian Killnet group, rebranding Chaos ransomware to target adversaries. The analysis details Killnet ransomware’s execution flow, including privilege escalation, persistence, targeted encryption with a .killnet extension, and a Telegram fundraising/propaganda channel used to finance and promote the activity. #Killnet #ChaosRansomware #Telegram #KillMilk #Cyble

Keypoints

  • Killnet ransomware is a 32-bit GUI binary and a modified Chaos ransomware used by the Killnet group.
  • The attackers leverage a Telegram channel with thousands of subscribers to share propaganda and solicit donations (BTC, ETH, USDT).
  • A pinned post by “KillMilk” presents the operator as leading Killnet hacktivism and seeking financial support.
  • The malware checks if another instance is running and terminates if so, then escalates privileges to admin via a RunAs flow.
  • Persistence is achieved by dropping itself in the user AppDataRoaming folder as cmd.exe and creating a startup shortcut.
  • It disables data recovery, deletes shadow copies and backups, and encrypts specific folders on the C: drive with a .killnet extension, leaving a ransom note.
  • MITRE mapping includes T1547.001, T1083, and T1486, and IOCs include file hashes and an outbound IP associated with the activity.

MITRE Techniques

  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – “To achieve persistence, the ransomware drops itself into C:Users<username>AppDataRoaming folder as cmd.exe. and adds a shortcut link for dropped cmd.exe in the StartUp folder.”
  • [T1083] File and Directory Discovery – “Initially, the ransomware looks for logical drives other than C: drive and encrypts all files present in those logical drives.”
  • [T1486] Data Encrypted for Impact – “The ransomware then encrypts the selected files in the system.” (and appends the .killnet extension and drops a ransom note)

Indicators of Compromise

  • [File Hashes] MD5/SHA1/SHA256 – Killnet Executable – ff00932cd0294036b814c71b2c4b624c, 58307a32323d2784df65b473fd4244ef0d5e7447, db1c8ddcdfea93031a565001366ffa9fdb41a689bddab46aec7611a46bb4dc50
  • [IP] Network Activity – 13.107.4.52

Read more: https://blog.cyble.com/2022/11/08/pro-russian-hacktivists-targeting-adversaries-with-killnet-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint