January 10, 2017 by

Disk-Wiping Malware KillDisk Now Targets Linux Systems

Infamous disk-wiping malware KillDisk gains an update which sees it compromise Linux systems alongside Windows machines.

The malware, known to be used in hacking attacks during espionage operations also gains the ability to encrypt files, demand a ransom in bitcoin and render Linux machines unbootable.

According to Slovakian security firm ESET, the KillDisk malware is prevalent in a series of online attacks against several financial institutions that began a month ago in early December. However, different variants of KillDisk have now emerged since the attacks began.  The new versions can not only infect Windows but can also compromise Linux workstations and crucially, even Linux servers. More significantly, however, the variant creates an encryption key that does not get saved to the disk or communicated to the attackers, ESET researchers discovered. Fundamentally, even if victims pay up that bitcoin ransom, there’s simply no way that they would receive a decryption key in return.

First spotted by ESET, the Linux variant of the KillDisk malware overwrites the GRUB bootloader on Linux. This is essentially the first code to run when a Linux system is booted. As a result, the system’s boot command is prevented and a random message is displayed instead. While varying in versions, the messages all point to common content that includes: a message confirming the infection, the ransom amount, a bitcoin address for payment of the ransom and a contact email for the attacker. This contact email is typically registered with lelantos.org, an anonymous and secure email service.

The ransom demand at 222 bitcoins, is common across both Linux and Windows systems. That amount is currently worth about $210,000.

To date, no one appears to have paid the ransom, according to at least one blockchain record for a bitcoin address mentions in ESET’s report. This begs the question, are the attacks running an operation merely to disrupt and destroy data in a larger campaign of psychological warfare, rather than a ransomware campaign?

The early variants of Linux-targeting versions of KilDisk, according to ESET, isn’t iron-clad with the encrypting cryptography, leaving “recovery possible, albeit difficult”. However, future versions are expected to shore up on the flaw.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

26% of Ransomware Attacks Target Corporate Businesses

New research from Kaspersky Lab has revealed that the number of ransomware attacks targeting...

Read more arrow_forward

Ransomware Payments to Hit a Record $2 Billion in 2017: Research

According to new research from a cybersecurity firm, ransomware payments will hit a high of $2...

Read more arrow_forward

Iowa Student Arrested for Changing Grades Using Keylogger Malware

A former student at the University of Iowa has been arrested in his hometown of Denver after using...

Read more arrow_forward