January 6, 2017
KillDisk is one of the pieces of malware that made the news several times in 2016, mostly because it was used for compromising several high-profile targets, including utility companies in Ukraine.
KillDisk has been considered responsible for a nationwide power outage in Ukraine, after a number of computers were compromised with malware and could no longer boot due to what seemed to be an infection that broke down the operating system.
The very same infection is now targeting Linux systems, but with a different approach, according to security company ESET. KillDisk has adopted ransomware-inspired tactics, and while it does infect systems and makes it impossible to boost the OS, it also asks for a ransom to restore access to data.
On Linux, KillDisk displays the ransom message within the GRUB bootloader, so when the malware is executed, any other option that was previously displayed is no longer available.
“The main encryption routine recursively traverses the following folders within the root directory up to 17 subdirectories in depth. Files are encrypted using Triple-DES applied to 4096-byte file blocks. Each file is encrypted using a different set of 64-bit encryption keys,” ESET says.