[dba-Tech] KillDisk evolves into ransomware

John R Bartow jbartow at winhaven.net
Fri Jan 6 11:48:07 CST 2017


The malware is now encrypting files on both Windows and Linux systems and
asks for $216,000 to restore them but even if paid they can't restore them.

A malicious program called KillDisk, which has been used in the past to wipe
data from computers during cyberespionage attacks, is now encrypting files
and asking for an unusually large ransom. 

KillDisk was one of the components associated with the Black Energy malware
that a group of attackers used in December 2015 to hit several Ukrainian
power stations, cutting power for thousands of people. A month before that,
it was used against a major news agency in Ukraine. 

Since then, KillDisk has been used in other attacks, most recently against
several targets from the shipping sector, according to security researchers
from antivirus vendor ESET. 

However, the latest versions have evolved and now act like ransomware.
Instead of wiping the data from the disk, the malware encrypts it and
displays a message asking for 222 bitcoins to restore them. That's the
equivalent of $216,000, an unusually large sum of money for a ransomware
attack. 

What's even more interesting is that there's also a Linux variant of
KillDisk that can infect both desktop and server systems, the ESET
researchers said Thursday in blog post. The encryption routine and
algorithms are different between the Windows and the Linux versions, and on
Linux, there's another catch: The encryption keys are neither saved locally
nor sent to a command-and-control server, and the attackers can't actually
get to them. 

"The cyber criminals behind this KillDisk variant cannot supply their
victims with the decryption keys to recover their files, despite those
victims paying the extremely large sum demanded by this ransomware," the
ESET researchers said. 
The good news is that there's a weakness in the encryption mechanism for the
Linux version that makes it possible -- though difficult -- for the victim
to recover the files. With the Windows version, they can't. 

It's not clear why the KillDisk creators have added this encryption feature.
It could be that they're achieving the same goal as in the past --
destruction of data -- but with the ransomware tactic there's also a small
chance that they'll walk away with a large sum of money. 



More information about the dba-Tech mailing list