[dba-Tech] KillDisk evolves into ransomware

Jim Lawrence accessd at shaw.ca
Sat Jan 7 13:43:18 CST 2017


It sounds like a piece of malware that has gone wrong. 

All these malware code segments are designed with a purpose...take over your computer, monitor your banking or political activity, island hopping to more lucrative destinations, stealing credentials, launching attacks against some adversary...all with an eventual purpose of obtaining leverage/money. The purpose of randomware is to make money...it is not doing it. The code seems like either, the product of an incompetent or just a bitter hacker who is only interested in destroying.

Jim
 
----- Original Message -----
From: "John R Bartow" <jbartow at winhaven.net>
To: "Discussion of Hardware and Software issues" databaseadvisors.com>
Sent: Friday, January 6, 2017 9:48:07 AM
Subject: [dba-Tech] KillDisk evolves into ransomware

The malware is now encrypting files on both Windows and Linux systems and
asks for $216,000 to restore them but even if paid they can't restore them.

A malicious program called KillDisk, which has been used in the past to wipe
data from computers during cyberespionage attacks, is now encrypting files
and asking for an unusually large ransom. 

KillDisk was one of the components associated with the Black Energy malware
that a group of attackers used in December 2015 to hit several Ukrainian
power stations, cutting power for thousands of people. A month before that,
it was used against a major news agency in Ukraine. 

Since then, KillDisk has been used in other attacks, most recently against
several targets from the shipping sector, according to security researchers
from antivirus vendor ESET. 

However, the latest versions have evolved and now act like ransomware.
Instead of wiping the data from the disk, the malware encrypts it and
displays a message asking for 222 bitcoins to restore them. That's the
equivalent of $216,000, an unusually large sum of money for a ransomware
attack. 

What's even more interesting is that there's also a Linux variant of
KillDisk that can infect both desktop and server systems, the ESET
researchers said Thursday in blog post. The encryption routine and
algorithms are different between the Windows and the Linux versions, and on
Linux, there's another catch: The encryption keys are neither saved locally
nor sent to a command-and-control server, and the attackers can't actually
get to them. 

"The cyber criminals behind this KillDisk variant cannot supply their
victims with the decryption keys to recover their files, despite those
victims paying the extremely large sum demanded by this ransomware," the
ESET researchers said. 
The good news is that there's a weakness in the encryption mechanism for the
Linux version that makes it possible -- though difficult -- for the victim
to recover the files. With the Windows version, they can't. 

It's not clear why the KillDisk creators have added this encryption feature.
It could be that they're achieving the same goal as in the past --
destruction of data -- but with the ransomware tactic there's also a small
chance that they'll walk away with a large sum of money. 

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com


More information about the dba-Tech mailing list