id2969037security1100606370orig
Security

KillDisk cyber sabotage tool evolves into ransomware

A malicious program called KillDisk that has been used in the past to wipe data from computers during cyberespionage attacks is now encrypting files and asking for an unusually large ransom.

KillDisk was one of the components associated with the Black Energy malware that a group of attackers used in December 2015 to hit several Ukrainian power stations, cutting power for thousands of people. A month before that, it was used against a major news agency in Ukraine.

Since then, KillDisk has been used in other attacks, most recently against several targets from the shipping sector, according to security researchers from antivirus vendor ESET.

However, the latest versions have evolved and now act like ransomware. Instead of wiping the data from the disk, the malware encrypts it and displays a message asking for 222 bitcoins to restore them. That's the equivalent of $216,000, an unusually large sum of money for a ransomware attack.

What's even more interesting is that there's also a Linux variant of KillDisk that can infect both desktop and server systems, the ESET researchers said Thursday in blog post. The encryption routine and algorithms are different between the Windows and the Linux versions, and on Linux, there's another catch: The encryption keys are neither saved locally nor sent to a command-and-control server, and the attackers can't actually get to them.

"The cyber criminals behind this KillDisk variant cannot supply their victims with the decryption keys to recover their files, despite those victims paying the extremely large sum demanded by this ransomware," the ESET researchers said.

The good news is that there's a weakness in the encryption mechanism for the Linux version that makes it possible -- though difficult -- for the victim to recover the files. With the Windows version, they can't.

It's not clear why the KillDisk creators have added this encryption feature. It could be that they're achieving the same goal as in the past -- destruction of data -- but with the ransomware tactic there's also a small chance that they'll walk away with a large sum of money.

IDG Insider

PREVIOUS ARTICLE

« The Brydge keyboard for Microsoft Surface adds 'lapability' and optional storage

NEXT ARTICLE

Microsoft is bundling cloud services to make cars smarter »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

International Women's Day: We've come a long way, but there's still an awfully long way to go

Charlotte Trueman takes a diverse look at today’s tech landscape.

Trump's trade war and the FANG bubble: Good news for Latin America?

Lewis Page gets down to business across global tech

20 Red-Hot, Pre-IPO companies to watch in 2019 B2B tech - Part 1

Martin Veitch's inside track on today’s tech trends

Poll

Do you think your smartphone is making you a workaholic?