Corrine Posted January 5, 2017 Share Posted January 5, 2017 KillDisk Ransomware Now Targets Linux, Prevents Boot-Up, Has Faulty Encryption Researchers have discovered a Linux variant of the KillDisk ransomware, which itself is a new addition to the KillDisk disk wiper malware family, previously used only to sabotage companies by randomly deleting data and altering files. The KillDisk ransomware that targets Linux computers was discovered by ESET a week after researchers from CyberX came across the first KillDisk versions that included ransomware features, but which only targeted Windows PCs. I'll bet abarbarian is happy he won that ESET license for his Linux system now! 2 Quote Link to comment Share on other sites More sharing options...
ebrke Posted January 5, 2017 Share Posted January 5, 2017 (edited) Wonder what the point of this attack is. Even if you think you can get your data back, the ransom is so high it's hard to imagine anyone paying it except a large corporation with no backups available, and while large corps have their issues, lack of backup usually isn't among them. It does make me think about getting ESET for my linux though. Edited January 5, 2017 by ebrke Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 5, 2017 Share Posted January 5, 2017 (edited) I'm not an expert, but I'd really like to know two things right off... How does the malware install itself in Linux systems? How does it encrypt files/directories that are in the root domain without root access? So many of these "Linux virus/malware alerts" are so much FUD and BS most of the time that it makes one wonder what is an isn't BS. The only reason I give credence to the above is because ESET was involved in the discovery. . Edited January 5, 2017 by V.T. Eric Layton Quote Link to comment Share on other sites More sharing options...
securitybreach Posted January 5, 2017 Share Posted January 5, 2017 Check my comments here: http://forums.scotsn...669#entry445053 Too bad that they didn't bother to quote the most important part of the source article: ESET researchers have discovered a Linux variant of the KillDisk malware that was used in Ukraine in attacks against the country’s critical infrastructure in late 2015 and against a number of targets within its financial sector in December 2016. http://www.welivesec...m-cant-decrypt/ These were targeted attacks from 2015 and 2016 I'm not an expert, but I'd really like to know two things right off... How does the malware install itself in Linux systems? How does it encrypt files/directories that are in the root domain without root access? So many of these "Linux virus/malware alerts" are so much FUD and BS most of the time that it makes one wonder what is an isn't BS. The only reason I give credence to the above is because ESET was involved in the discovery. . I basically said the same exact thing... 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 6, 2017 Share Posted January 6, 2017 Your comments on the other thread in BATL, Josh, were precisely how I was looking at this. To my knowledge, the only way to modify root files on a Linux installation would be 1) be root or 2) have access to the physical machine (not remote access) to be able to use an externally loaded OS of some sort to mount and manipulate the files that way. Also, I had not read deeply enough to see the part you pointed out regarding it being a specifically targeted attack back in 2015. Chances are if the hackers were specifically targeting someone/some corporation, etc., they may have already had backdoor access somehow; maybe even physical access (a worker, delivery person, etc.). Anyway, thanks to Corrine for posting this. It's been interesting. 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted January 6, 2017 Share Posted January 6, 2017 Your comments on the other thread in BATL, Josh, were precisely how I was looking at this. To my knowledge, the only way to modify root files on a Linux installation would be 1) be root or 2) have access to the physical machine (not remote access) to be able to use an externally loaded OS of some sort to mount and manipulate the files that way. Also, I had not read deeply enough to see the part you pointed out regarding it being a specifically targeted attack back in 2015. Chances are if the hackers were specifically targeting someone/some corporation, etc., they may have already had backdoor access somehow; maybe even physical access (a worker, delivery person, etc.). Anyway, thanks to Corrine for posting this. It's been interesting. Agreed !!!! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.