Menu
KillDisk cyber sabotage tool evolves into ransomware

KillDisk cyber sabotage tool evolves into ransomware

The malware is now encrypting files on both Windows and Linux systems and asks for $216,000 to restore them

A malicious program called KillDisk that has been used in the past to wipe data from computers during cyberespionage attacks is now encrypting files and asking for an unusually large ransom.

KillDisk was one of the components associated with the Black Energy malware that a group of attackers used in December 2015 to hit several Ukrainian power stations, cutting power for thousands of people. A month before that, it was used against a major news agency in Ukraine.

Since then, KillDisk has been used in other attacks, most recently against several targets from the shipping sector, according to security researchers from antivirus vendor ESET.

However, the latest versions have evolved and now act like ransomware. Instead of wiping the data from the disk, the malware encrypts it and displays a message asking for 222 bitcoins to restore them. That's the equivalent of $216,000, an unusually large sum of money for a ransomware attack.

What's even more interesting is that there's also a Linux variant of KillDisk that can infect both desktop and server systems, the ESET researchers said Thursday in blog post. The encryption routine and algorithms are different between the Windows and the Linux versions, and on Linux, there's another catch: The encryption keys are neither saved locally nor sent to a command-and-control server, and the attackers can't actually get to them.

"The cyber criminals behind this KillDisk variant cannot supply their victims with the decryption keys to recover their files, despite those victims paying the extremely large sum demanded by this ransomware," the ESET researchers said.

The good news is that there's a weakness in the encryption mechanism for the Linux version that makes it possible -- though difficult -- for the victim to recover the files. With the Windows version, they can't.

It's not clear why the KillDisk creators have added this encryption feature. It could be that they're achieving the same goal as in the past -- destruction of data -- but with the ransomware tactic there's also a small chance that they'll walk away with a large sum of money.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Events

Featured

Slideshows

Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Show Comments