A new variant of KillDisk malware
linked to the infamous Black Energy group encrypts Linux machines and demands a
huge ransom, but is not capable of decryption.
The new variant of KillDisk
encrypts Linux machines, making them unbootable with data permanently lost.
Despite the fact that the malware’s design doesn’t allow for the recovery of
encrypted files, as encryption keys are neither stored nor sent anywhere, the
criminals behind KillDisk demand 250 thousand USD in Bitcoins. Fortunately,
ESET researchers found a weakness in the encryption employed which makes
recovery possible, albeit difficult.
“KillDisk
serves as another example of why paying ransom should not be considered an
option. When dealing with criminals, there’s no guarantee of getting your data
back – in this case, the criminals clearly never intended to deliver on their
promises. The only safe way of dealing with ransomware is prevention. Education,
keeping systems updated and fully patched, using a reputable security solution,
keeping backups and testing the ability to restore – these are the components
of true insurance,” says Robert Lipovský, ESET
Senior Researcher.
KillDisk is a destructive malware that
gained notoriety as a component of the successful attack performed by the
BlackEnergy group against
the Ukrainian power grid in December 2015.
More recently, ESET researchers detected
planned cyber-sabotage attacks against a number of different targets within
Ukraine’s financial sector. Since then, KillDisk attack campaigns have
continued, aimed at several targets in the maritime transport sector.
The attack toolset has evolved and recent
variants of KillDisk serve as file-encrypting ransomware. Initially targeting Windows
systems, the version targeting Linux machines - not only affects Linux
workstations but also servers, amplifying the damage potential.