Whether the system is Windows or Linux, the incoming message is the same, as is the ransom demand and the email address.
Whether the system is Windows or Linux, the incoming message is the same, as is the ransom demand and the email address.

KillDisk malware is back, this time arriving as a Linux variant.

The discovery was made by researchers at ESET and reported on Thursday on the company blog We Live Security.

Already notorious from strikes against financial sector targets and critical infrastructure facilities in the Ukraine, the latest iteration of the KillDisk malware now renders Linux machines unbootable after encrypting files and demanding a large ransom. But, the researchers explain, a payout doesn't ensure the recovery of files.

KillDisk malware was first identified as a weapon in the arsenal of the BlackEnergy group, which began their campaigns in late 2015 with spear-phishing emails with Microsoft Excel files attached containing a malicious macro that, once clicked, downloaded a Python-written backdoor. Different attack campaigns spread over a year used the same mail server and the malicious macro code was similar.

The attack toolset has evolved since the earlier campaigns, the researchers said. For one, the attacks make use of Meterpreter backdoors. More insidious, the earlier code demonstrated a degree of artistry and playfulness (some strikes bore screens referring to the TV show "Mr. Robot"), while the latest version gets serious with file-encrypting ransomware carrying a demand for an exorbitant amount of money, 222 Bitcoins, or nearly US$250,000.

The evolution also adapts the malware to hit not only Windows systems but Linux devices as well, including workstations and servers. But whether the system is Windows or Linux, the incoming message is the same, as is the ransom demand and the email address to send ransom.

Further, the malware's strategy on either system encrypts using Triple-DES applied to 4096-byte file blocks, the ESET researchers explained, though each file is encrypted using a different set of 64-bit encryption keys.

Upon a reboot, the infected device will be unbootable. Worse, because "the encryption keys generated on the affected host are neither saved locally nor sent to a C&C server," it's pointless to expect recovery upon paying the ransom, as the miscreants responsible for KillDisk are incapable of providing decryption keys.

Robert Lipovsky, senior malware researcher at ESET and co-author with Peter Kalnai of the report, told SC Media on Friday that although he doesn't have information on how the Linux version spreads, it's likely that its spreading is the same as for its Windows counterparts. That is, planted by other malware backdoors, which are spread usually by spear-phishing emails.

Regardless of how it spreads, Lipovsky told SC that this KillDisk component was always used as a destructive feature in the past – whether it was to destroy media files of a news agency or critical workstations during the power grid attack to make restoration of power after the outage more difficult. 

"Now they've added ransomware functionality but it's doubtful that their aim is to make money in the way cybercriminals behind other ransomware commonly do. I'm making that assumption because of two main reasons: 1) They have not implemented a way to easily decrypt the files once the ransom was paid; and 2) The ransom is really high."

His advice: Do not pay up as there is no guarantee that victims will recover their data.

"The only safe way of dealing with ransomware is prevention – education, keeping systems updated and fully patched, using a reputable security solution, keeping backups and testing the ability to restore," the report concludes.