ESET warns KillDisk is now trying to infect Linux systems

Jan 6, 2017 13:00 GMT  ·  By

KillDisk is one of the pieces of malware that made the news several times in 2016, mostly because it was used for compromising several high-profile targets, including utility companies in Ukraine.

KillDisk has been considered responsible for a nationwide power outage in Ukraine, after a number of computers were compromised with malware and could no longer boot due to what seemed to be an infection that broke down the operating system.

The very same infection is now targeting Linux systems, but with a different approach, according to security company ESET. KillDisk has adopted ransomware-inspired tactics, and while it does infect systems and makes it impossible to boost the OS, it also asks for a ransom to restore access to data.

On Linux, KillDisk displays the ransom message within the GRUB bootloader, so when the malware is executed, any other option that was previously displayed is no longer available.

“The main encryption routine recursively traverses the following folders within the root directory up to 17 subdirectories in depth. Files are encrypted using Triple-DES applied to 4096-byte file blocks. Each file is encrypted using a different set of 64-bit encryption keys,” ESET says.

Do not pay the ransom!

As you can also see in the screenshot included in the article and captured on a computer infected with the Linux/KillDisk.A Trojan, the ransom message displayed to users is the following:

We are so sorry, but the encryption
of your data has been successfully completed,
so you can lose your data or
pay 222 btc to 1Q94RXqr5WzyNh9Jn3YLDGeBoJhxJBigcF
with blockchain.info
contact e-mail:[email protected]
There’s one critical thing that administrators of systems infected with KillDisk must have in mind: even though the malware asks for a ransom to be paid in order to restore access to the system, victims shouldn’t pay up. It appears that the encryption keys aren’t stored on the local drives and aren’t submitted to a command and control server either, so they are automatically deleted after being generated.

In other words, even if you pay the ransom, the attackers wouldn’t be able to decrypt the system and restore access. So no, paying the ransom should not be on your solution list.