Killdisk linux version demands huge ransom but fails to provide decryption

We recently wrote that the KillDisk malware became capable of encrypting data. H2 database A newly discovered variant of the malware could act like ransomware to demand money in exchange for decryption. Nexus 5 data recovery A Linux variant of KillDisk was discovered by ESET researchers. Data recovery uk The malware was deployed in attacks against Ukraine in late 2015 and against other targets in the country’s financial sector in December 2016.


The new variant targets Linux systems and makes them unbootable, but first it encrypts their data and demands a large ransom. Database collation The ransom demanded by the malware creators is quite big for both Windows and Linux systems – 222 Bitcoin which equals to $247,000. Database yugioh Researchers say that no victim has paid, which is great news. Top 10 data recovery software free Apparently, the attackers cannot decrypt any encrypted data since the encryption keys are neither saved locally nor are they transmitted to C&C servers.

According to ESET researchers, these recent ransomware KillDisk variants are not only able to target Windows systems, but also Linux machines, which is a curious thing to see in the malware world. Data recovery vancouver bc The targets may be not only attack Linux workstations but also servers.

The Windows variants, detected by ESET as Win32/KillDisk.NBK and Win32/KillDisk.NBL, encrypt files with AES (256-bit encryption key generated using CryptGenRandom) and the symmetric AES key is then encrypted using 1024-bit RSA. 7 data recovery suite crack In order not to encrypt files twice, the malware adds the following marker to the end of each encrypted file: DoN0t0uch7h!$CrYpteDfilE.

Researchers also report that in both Windows and Linux versions the ransom message is absolutely identical, including information about the ransom amount and payment – 222 Bitcoin, Bitcoin address, and contact email. Database normalization definition Linux/KillDisk Technical Overview

The Windows and the Linux versions of KillDisk are quite identical but this doesn’t go to the technical implementation. Data recovery wizard The Linux version displays the ransom message within the GRUB bootloader which is quite unusual. Data recovery video Once the malware is executed the bootloader entries will be overwritten so that they display the ransom note.

Files are encrypted using Triple-DES applied to 4096-byte file blocks. Database query example Each file is encrypted using a different set of 64-bit encryption keys.

ESET researchers have observed a weakness in the encryption in the Linux version of KillDisk, which makes recovery possible but still difficult. Database migration This weakness is not seen in the Windows version.

As already mentioned, paying the ransom won’t help with the decryption of the file as the encryption keys generated on the infected system are neither saved locally not sent to a command and control server.

banner