A security company has found a new variant of the KillDisk malware that encrypts files on Linux systems. It poses as ransomware but does not include a decryption mechanism.
Eset says it has found a Linux variant of the KillDisk malware used in the late 2015 attack on the Ukraine electricity system.
Like its Windows counterpart, the Linux version of KillDisk encrypts files, rendering the affected system unbootable. It asks for the same 222 Bitcoin (around US$278,000) ransom, but the encryption key used is neither stored locally or sent to a remote server, so even if the perpetrators are paid they have no way of reversing the process.
Eset says its researchers have found a weakness in the encryption method that makes decryption “possible, albeit difficult.” Exactly how decryption can be performed was not disclosed.
In the Ukraine electricity attack, KillDisk was planted on systems that had been already infiltrated by attackers. The Linux version malware requires root access to encrypt some of the directories it targets, so it seems probable that it will be used as part of a wider attack rather than showing up as a standalone Trojan.
Submitted by: Arnfried Walbrecht