We recently wrote that the KillDisk malware became capable of encrypting data. A newly discovered variant of the malware could act like ransomware to demand money in exchange for decryption. A Linux variant of KillDisk was discovered by ESET researchers. The malware was deployed in attacks against Ukraine in late 2015 and against other targets in the country’s financial sector in December 2016.
Related: TeleBots Target Ukranian Financial Sector with KillDisk Malware
The new variant targets Linux systems and makes them unbootable, but first it encrypts their data and demands a large ransom. The ransom demanded by the malware creators is quite big for both Windows and Linux systems – 222 Bitcoin which equals to $247,000. Researchers say that no victim has paid, which is great news. Apparently, the attackers cannot decrypt any encrypted data since the encryption keys are neither saved locally nor are they transmitted to C&C servers.
Related: KillDisk Malware Now a Ransomware
According to ESET researchers, these recent ransomware KillDisk variants are not only able to target Windows systems, but also Linux machines, which is a curious thing to see in the malware world. The targets may be not only attack Linux workstations but also servers.
The Windows variants, detected by ESET as Win32/KillDisk.NBK and Win32/KillDisk.NBL, encrypt files with AES (256-bit encryption key generated using CryptGenRandom) and the symmetric AES key is then encrypted using 1024-bit RSA. In order not to encrypt files twice, the malware adds the following marker to the end of each encrypted file: DoN0t0uch7h!$CrYpteDfilE.
Researchers also report that in both Windows and Linux versions the ransom message is absolutely identical, including information about the ransom amount and payment – 222 Bitcoin, Bitcoin address, and contact email.
Linux/KillDisk Technical Overview
The Windows and the Linux versions of KillDisk are quite identical but this doesn’t go to the technical implementation. The Linux version displays the ransom message within the GRUB bootloader which is quite unusual. Once the malware is executed the bootloader entries will be overwritten so that they display the ransom note.
Files are encrypted using Triple-DES applied to 4096-byte file blocks. Each file is encrypted using a different set of 64-bit encryption keys.
After the infected system is rebooted it will become unbootable.
ESET researchers have observed a weakness in the encryption in the Linux version of KillDisk, which makes recovery possible but still difficult. This weakness is not seen in the Windows version.
As already mentioned, paying the ransom won’t help with the decryption of the file as the encryption keys generated on the infected system are neither saved locally not sent to a command and control server.