Disk-Wiping Malware KillDisk Now Targets Linux Systems

Infamous disk-wiping malware KillDisk gains an update which sees it compromise Linux systems alongside Windows machines.

The malware, known to be used in hacking attacks during espionage operations also gains the ability to encrypt files, demand a ransom in bitcoin and render Linux machines unbootable.

According to Slovakian security firm ESET, the KillDisk malware is prevalent in a series of online attacks against several financial institutions that began a month ago in early December. However, different variants of KillDisk have now emerged since the attacks began.  The new versions can not only infect Windows but can also compromise Linux workstations and crucially, even Linux servers. More significantly, however, the variant creates an encryption key that does not get saved to the disk or communicated to the attackers, ESET researchers discovered. Fundamentally, even if victims pay up that bitcoin ransom, there’s simply no way that they would receive a decryption key in return.

First spotted by ESET, the Linux variant of the KillDisk malware overwrites the GRUB bootloader on Linux. This is essentially the first code to run when a Linux system is booted. As a result, the system’s boot command is prevented and a random message is displayed instead. While varying in versions, the messages all point to common content that includes: a message confirming the infection, the ransom amount, a bitcoin address for payment of the ransom and a contact email for the attacker. This contact email is typically registered with lelantos.org, an anonymous and secure email service.

The ransom demand at 222 bitcoins, is common across both Linux and Windows systems. That amount is currently worth about $210,000.

To date, no one appears to have paid the ransom, according to at least one blockchain record for a bitcoin address mentions in ESET’s report. This begs the question, are the attacks running an operation merely to disrupt and destroy data in a larger campaign of psychological warfare, rather than a ransomware campaign?

The early variants of Linux-targeting versions of KilDisk, according to ESET, isn’t iron-clad with the encrypting cryptography, leaving “recovery possible, albeit difficult”. However, future versions are expected to shore up on the flaw.

Image credit: Pixabay.