Researchers have discovered a linux variant of the KillDisk ransomware, which itself is a new addition to the KillDisk disk wiper malware family, previously used only to sabotage companies by randomly deleting data and altering files.

The KillDisk ransomware that targets Linux computers was discovered by ESET a week after researchers from CyberX came across t he first KillDisk versions that included ransomware features, but which only targeted windows PCs.

Linux version fumbles the encryption key

According to the ESET researchers, the way the KillDisk ransomware version work on Windows and Linux is completely different, with the biggest issue being that on Linux, KillDisk doesn't save the encryption key anywhere on disk or online.

Normally, this would mean that victims would never be able to recover files since the encryption key would be lost immediately after the encryption process ends.

The good news is that ESET researchers say they've uncovered a flaw in the Linux variant that permits them to recover the encrypted files. The same weakness does not exist in the version that targets Windows PCs.

KillDisk ransomware, Windows variant

The KillDisk ransomware variant that targets Windows machines worked by encrypting each file via an AES-256 key, and then encrypting the AES keys with a public RSA-1028 key.

A private RSA key stored on the crook's server allowed attackers to decrypt the victim's files, but only after victims paid a humongous ransom of 222 Bitcoin (~$215,000). A screenshot of the Windows version's ransom screen is available below.


KillDisk Ransomware Now Targets Linux, Prevents Boot-Up, Has Faulty Encryption
KillDisk Windows ransomware ransom note (via CyberX)

Crooks received the encryption keys on their servers via the Telegram protocol, used for the eponymous IM chat app. Because of this, CyberX named the operators of this ransomware campaign as the TeleBots group.

KillDisk ransomware, Linux variant

The Linux variant spotted by ESET researchers during the past week is very different from the Windows variant.

First and foremost, the Linux version does not talk to its C&C server via the Telegram API anymore. The encryption is also different.

According to researchers, the victim's "files are encrypted using Triple-DES applied to 4096-byte file blocks," and "each file is encrypted using a different set of 64-bit encryption keys."

The Linux variant targets the following folders, at a depth of 17 subfolders, encrypting all files and appending the "DoN0t0uch7h!$CrYpteDfilE" termination.

/boot
/bin
/sbin
/lib/security
/lib64/security
/usr/local/etc
/etc
/mnt
/share
/media
/home
/usr
/tmp
/opt
/var
/root

The KillDisk Linux ransomware will also rewrite the user's boot sector and will use the GRUB bootloader to show its ransom screen.

The ransom note is word for word identical with the one shown in the Windows version, including the email address where victims can reach out to crooks.


KillDisk Ransomware Now Targets Linux, Prevents Boot-Up, Has Faulty Encryption
KillDisk Linux ransomware ransom note (via ESET)

Before going the route of ransomware, KillDisk had been used solely in cyber-espionage and cyber-sabotage operations.

The most notorious attacks using KillDisk involved deleting system files, replacing data files, and rewriting file extensions.

In November 2015, KillDisk was used in attacks against a Ukrainian news media agency. In December 2015, KillDisk was used to sabotage Ukraine's power grid. A cyber-espionage group known as BlackEnergy is suspected of being behind the attacks.

In December 2016, the TeleBots group used the KillDisk Windows ransomware to attack Ukrainian banks. At the time of writing, there is no evidence to link the TeleBots group with BlackEnergy.

Ransomware features used as a decoy?

In all attacks, BlackEnergy had used KillDisk to destroy computers and erase evidence of their attacks, perpetrated with other malware families.

The newly added ransomware features may be another way to mask their attacks, with companies thinking they might have been hit by ransomware, and not investigate the intrusions for other clues.

The ransomware's huge ransom demand also plays in with this scenario as it's absurd to think that a company might pay this much to recover their files.

The TeleBots gang may be hoping that companies give up on their files. By doing so, other signs and clues of the group's intrusions would remain lost and encrypted forever.

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

主题: LinuxWindowsUB
分页:12
转载请注明
本文标题:KillDisk Ransomware Now Targets Linux, Prevents Boot-Up, Has Faulty Encryption
本站链接:http://www.codesec.net/view/521510.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(25)