id2969037security1100606370orig
Security

KillDisk cyber sabotage tool evolves into ransomware

A malicious program called KillDisk that has been used in the past to wipe data from computers during cyberespionage attacks is now encrypting files and asking for an unusually large ransom.

KillDisk was one of the components associated with the Black Energy malware that a group of attackers used in December 2015 to hit several Ukrainian power stations, cutting power for thousands of people. A month before that, it was used against a major news agency in Ukraine.

Since then, KillDisk has been used in other attacks, most recently against several targets from the shipping sector, according to security researchers from antivirus vendor ESET.

However, the latest versions have evolved and now act like ransomware. Instead of wiping the data from the disk, the malware encrypts it and displays a message asking for 222 bitcoins to restore them. That's the equivalent of $216,000, an unusually large sum of money for a ransomware attack.

What's even more interesting is that there's also a Linux variant of KillDisk that can infect both desktop and server systems, the ESET researchers said Thursday in blog post. The encryption routine and algorithms are different between the Windows and the Linux versions, and on Linux, there's another catch: The encryption keys are neither saved locally nor sent to a command-and-control server, and the attackers can't actually get to them.

"The cyber criminals behind this KillDisk variant cannot supply their victims with the decryption keys to recover their files, despite those victims paying the extremely large sum demanded by this ransomware," the ESET researchers said.

The good news is that there's a weakness in the encryption mechanism for the Linux version that makes it possible -- though difficult -- for the victim to recover the files. With the Windows version, they can't.

It's not clear why the KillDisk creators have added this encryption feature. It could be that they're achieving the same goal as in the past -- destruction of data -- but with the ransomware tactic there's also a small chance that they'll walk away with a large sum of money.

IDG Insider

PREVIOUS ARTICLE

« The Brydge keyboard for Microsoft Surface adds 'lapability' and optional storage

NEXT ARTICLE

Microsoft is bundling cloud services to make cars smarter »
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

How to (really) evaluate a developer's skillset

Adrian Bridgwater’s deconstruction & analysis of enterprise software

Unicorns are running free in the UK but Brexit poses a tough challenge

Trevor Clawson on the outlook for UK Tech startups

Cloudistics aims to trump Nutanix with 'superconvergence' play

Martin Veitch's inside track on today’s tech trends

Poll

Is your organization fully GDPR compliant?