Jump to content

KillDisk Ransomware Now Targets Linux


Corrine

Recommended Posts

KillDisk Ransomware Now Targets Linux, Prevents Boot-Up, Has Faulty Encryption

Researchers have discovered a Linux variant of the KillDisk ransomware, which itself is a new addition to the KillDisk disk wiper malware family, previously used only to sabotage companies by randomly deleting data and altering files.

The KillDisk ransomware that targets Linux computers was discovered by ESET a week after researchers from CyberX came across the first KillDisk versions that included ransomware features, but which only targeted Windows PCs.

 

I'll bet abarbarian is happy he won that ESET license for his Linux system now!

  • Like 2
Link to comment
Share on other sites

Wonder what the point of this attack is. Even if you think you can get your data back, the ransom is so high it's hard to imagine anyone paying it except a large corporation with no backups available, and while large corps have their issues, lack of backup usually isn't among them. :hmm:

 

It does make me think about getting ESET for my linux though.

Edited by ebrke
Link to comment
Share on other sites

V.T. Eric Layton

I'm not an expert, but I'd really like to know two things right off...

  • How does the malware install itself in Linux systems?
  • How does it encrypt files/directories that are in the root domain without root access?

So many of these "Linux virus/malware alerts" are so much FUD and BS most of the time that it makes one wonder what is an isn't BS. The only reason I give credence to the above is because ESET was involved in the discovery.

 

 

 

 

 

 

 

 

.

Edited by V.T. Eric Layton
Link to comment
Share on other sites

securitybreach

Check my comments here: http://forums.scotsn...669#entry445053

 

Too bad that they didn't bother to quote the most important part of the source article:

ESET researchers have discovered a Linux variant of the KillDisk malware that was used in Ukraine in attacks against the country’s critical infrastructure in late 2015 and against a number of targets within its financial sector in December 2016.

http://www.welivesec...m-cant-decrypt/

 

These were targeted attacks from 2015 and 2016

 

I'm not an expert, but I'd really like to know two things right off...

  • How does the malware install itself in Linux systems?
  • How does it encrypt files/directories that are in the root domain without root access?

So many of these "Linux virus/malware alerts" are so much FUD and BS most of the time that it makes one wonder what is an isn't BS. The only reason I give credence to the above is because ESET was involved in the discovery.

 

 

 

 

 

 

 

 

.

 

I basically said the same exact thing...

  • Like 1
Link to comment
Share on other sites

V.T. Eric Layton

Your comments on the other thread in BATL, Josh, were precisely how I was looking at this. To my knowledge, the only way to modify root files on a Linux installation would be 1) be root or 2) have access to the physical machine (not remote access) to be able to use an externally loaded OS of some sort to mount and manipulate the files that way.

 

Also, I had not read deeply enough to see the part you pointed out regarding it being a specifically targeted attack back in 2015. Chances are if the hackers were specifically targeting someone/some corporation, etc., they may have already had backdoor access somehow; maybe even physical access (a worker, delivery person, etc.).

 

Anyway, thanks to Corrine for posting this. It's been interesting.

  • Like 1
Link to comment
Share on other sites

securitybreach

Your comments on the other thread in BATL, Josh, were precisely how I was looking at this. To my knowledge, the only way to modify root files on a Linux installation would be 1) be root or 2) have access to the physical machine (not remote access) to be able to use an externally loaded OS of some sort to mount and manipulate the files that way.

 

Also, I had not read deeply enough to see the part you pointed out regarding it being a specifically targeted attack back in 2015. Chances are if the hackers were specifically targeting someone/some corporation, etc., they may have already had backdoor access somehow; maybe even physical access (a worker, delivery person, etc.).

 

Anyway, thanks to Corrine for posting this. It's been interesting.

 

Agreed :thumbsup: !!!!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...