Researchers have discovered a Linux variant of the KillDisk ransomware, which itself is a new addition to the KillDisk disk wiper malware family, previously used only to sabotage companies by randomly deleting data and altering files.
The KillDisk ransomware that targets Linux computers was discovered by ESET a week after researchers from CyberX came across the first KillDisk versions that included ransomware features, but which only targeted Windows PCs.
According to the ESET researchers, the way the KillDisk ransomware version work on Windows and Linux is completely different, with the biggest issue being that on Linux, KillDisk doesn’t save the encryption key anywhere on disk or online.
Normally, this would mean that victims would never be able to recover files since the encryption key would be lost immediately after the encryption process ends.
The good news is that ESET researchers say they’ve uncovered a flaw in the Linux variant that permits them to recover the encrypted files. The same weakness does not exist in the version that targets Windows PCs.
The KillDisk ransomware variant that targets Windows machines worked by encrypting each file via an AES-256 key, and then encrypting the AES keys with a public RSA-1028 key.
Submitted by: Arnfried Walbrecht