Malefactors Use KillDisk for Attacks on Linux Systems

New opportunities of KillDisk allow to control malware through the C&C server and use the application as a crypto ransomware

ESET researchers have discovered a new variant of KillDisk malware designed for attacks on the  Linux systems.

KillDisk is a destructive malware that became known due to an attack against the Ukrainian power grid in December 2015. The malware was also used during the attacks against the financial sector of Ukraine in December 2016. A hacking group dubbed as TeleBots utilized KillDisk along with other utility software, including Telegram messenger service.

Attacks with utilization of KillDisk continued throughout December 2016 where the Ukrainian sea transportation companies became victims. The attack toolset has evolved as well compared to 2015. KillDisk has now Meterpreter backdoors and communicates with the C&C servers via Telegram API. Moreover, KillDisk has a crypto ransomware functional. After getting into the victim’s system, the utility software does not delete the files but encrypts the data and demands a ransom amounting to 222 Bitcoin (approximately USD  250,000).

The ransomware is also present in the Linux-version of the malware. The files are encrypted using Triple-DES algorithm, and each file is encrypted using a different set of 64-bit encryption keys.