Menu
KillDisk cyber sabotage tool evolves into ransomware

KillDisk cyber sabotage tool evolves into ransomware

The malware is now encrypting files on both Windows and Linux systems and asks for $216,000 to restore them

A malicious program called KillDisk that has been used in the past to wipe data from computers during cyberespionage attacks is now encrypting files and asking for an unusually large ransom.

KillDisk was one of the components associated with the Black Energy malware that a group of attackers used in December 2015 to hit several Ukrainian power stations, cutting power for thousands of people. A month before that, it was used against a major news agency in Ukraine.

Since then, KillDisk has been used in other attacks, most recently against several targets from the shipping sector, according to security researchers from antivirus vendor ESET.

However, the latest versions have evolved and now act like ransomware. Instead of wiping the data from the disk, the malware encrypts it and displays a message asking for 222 bitcoins to restore them. That's the equivalent of $216,000, an unusually large sum of money for a ransomware attack.

What's even more interesting is that there's also a Linux variant of KillDisk that can infect both desktop and server systems, the ESET researchers said Thursday in blog post. The encryption routine and algorithms are different between the Windows and the Linux versions, and on Linux, there's another catch: The encryption keys are neither saved locally nor sent to a command-and-control server, and the attackers can't actually get to them.

"The cyber criminals behind this KillDisk variant cannot supply their victims with the decryption keys to recover their files, despite those victims paying the extremely large sum demanded by this ransomware," the ESET researchers said.

The good news is that there's a weakness in the encryption mechanism for the Linux version that makes it possible -- though difficult -- for the victim to recover the files. With the Windows version, they can't.

It's not clear why the KillDisk creators have added this encryption feature. It could be that they're achieving the same goal as in the past -- destruction of data -- but with the ransomware tactic there's also a small chance that they'll walk away with a large sum of money.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.‚Äč

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments