KillDisk System Destructive Malware Now Targeting Linux

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
KillDisk is one of the pieces of malware that made the news several times in 2016, mostly because it was used for compromising several high-profile targets, including utility companies in Ukraine.

KillDisk has been considered responsible for a nationwide power outage in Ukraine, after a number of computers were compromised with malware and could no longer boot due to what seemed to be an infection that broke down the operating system.

The very same infection is now targeting Linux systems, but with a different approach, according to security company ESET. KillDisk has adopted ransomware-inspired tactics, and while it does infect systems and makes them impossible to boost the OS, it also asks for a ransom to restore access to data.

On Linux, KillDisk displays the ransom message within the GRUB bootloader, so when the malware is executed, any other option that was previously displayed is no longer available.

“The main encryption routine recursively traverses the following folders within the root directory up to 17 subdirectories in depth. Files are encrypted using Triple-DES applied to 4096-byte file blocks. Each file is encrypted using a different set of 64-bit encryption keys,” ESET says.

Do not pay the ransom!
As you can also see in the screenshot included in the article and captured on a computer infected with the Linux/KillDisk.A Trojan, the ransom message displayed to users is the following:

Code:
We are so sorry, but the encryption
of your data has been successfully completed,
so you can lose your data or
pay 222 btc to 1Q94RXqr5WzyNh9Jn3YLDGeBoJhxJBigcF
with blockchain.info
contact e-mail:vuyrk568gou@lelantos.org


There’s one critical thing that administrators of systems infected with KillDisk must have in mind: even though the malware asks for a ransom to be paid in order to restore access to the system, victims shouldn’t pay up. It appears that the encryption keys aren’t stored on the local drives and aren’t submitted to a command and control server either, so they are automatically deleted after being generated.

In other words, even if you pay the ransom, the attackers wouldn’t be able to decrypt the system and restore access. So no, paying the ransom should not be on your solution list.
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
222 btc !?

1 btc => 890.43 $ (today's value)

=> 197 675,46 $

=> first OMG

even if you pay the ransom, the attackers wouldn’t be able to decrypt the system and restore access. So no, paying the ransom should not be on your solution list.


=> second OMG
Backup Backup Backup
 
  • Like
Reactions: Der.Reisende

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top