KillDisk Ransomware Now Targeting Linux and Prohibiting Boot-Up using Faulty Encryption

KillDisk Ransomware

A new Linux variant of KillDisk Ransomware has been discovered by researchers, including potential of posing huge harm to the entire computer system. According to security experts, this infection itself is a new addition to the KillDisk disk wiper malware family which was previously only utilized to ruin companies via randomly deleting data and altering files. The Linux variant of KillDisk Ransomware was firstly discovered by ESET, just a week after researchers from CyberX detected the foremost KillDisk versions including ransomware features.

According to CyberX’s researchers, it’s first version was compatible only with the Windows OS. Now though being a member of the perilous ransomware infection, KillDisk Ransomware also encrypts thesystem’s crucial files after getting complete perforation inside it but researchers has reported it’s working algorithm completely distinct from each other on Windows and Linux versions of OS respectively. According to researches, KillDisk Ransomware do not save the encryption key anywhere on the disk or online on Linux OS.

This makes it almost impossible for the victims to recover their encrypted files back since the encryption key is deleted immediately right after the completion of the encryption process. However in this critical situation analysts suggests not to get worried, as they have successfully uncovered a flat in the ransomware’s Linux variant allowing them to retrieve the encrypted files easily. But unfortunately the same flaw do not exists in the version targeting Windows OS.

Windows Variant Of KillDisk Ransomware

KillDisk Ransomware version targeting Windows OS has been labeled highly disastrous in nature. It simply works by encrypting each file through an AES-256 key and then after encrypting the AES key via a public RSA-1028 key. In the case of this variant of ransomware infection, the private RSA key is stored on the crook’s server enabled attackers to decrypt the encrypted files. Now though this key decrypt the files but only after humongous amount of ransom (i.e., ~215,000) is paid. In the case of the Windows variant of KillDisk Ransomware, spammers receives the encryption key on their respective servers through the Telegram protocol, utilized for the eponymous IM chat app.

Linux Variant Of KillDisk Ransomware

The Linux variant of KillDisk Ransomware detected by ESET researchers during the past week has been reported very different from that of it’s Windows variant. The Linux version, unlike as that of the Windows version do not talk to it’s C&C server through the Telegram API anymore. Along with this encryption algorithm also very difference of the two from each other. In the case of Linux variant, targeted files are encrypted via utilizing Triple-DES applied to 4096-byte file blocks and a distinct set of 64-bit encryption keys.

This ransomware’s version has been concludes targeting specific set of folders, at a depth of 17 subfolders for encryption. Some of the them are shown below :


It meanwhile processing the encryption operation, appends the “DoN0t0uch7h!$CrYpteDfilE” termination. Furthermore, following the completion of the encryption process, the threat rewrites the victim’s boot sector and makes usage of the GRUB bootloader for the purpose of displaying it’s ransom screen. The generated ransom note usually includes email address where victims can reach out to online crooks. In November 2015, KillDisk Ransomware was exploited in attacks against a Ukrainian news media agency and in December 2015 against Ukraine’s power grid. Aside from this, in December 2016, the threat was used by the TeleBots group against Ukrainian banks.

Posted in Latest News.

Leave a Reply

Your email address will not be published. Required fields are marked *