Linux-Targeted KillDisk Discovered

And how it may use ransomware to hide true purpose

Posted on 16 January 2017

Linux is a commonly used operating system on servers within large enterprises, especially in the financial sector, but now a variant of the KillDisk malware that was used in attacks against Ukraine in late 2015 and late 2016 has been discovered targeting Linux.


The Linux variant of the KillDisk malware, discovered by ESET researchers, leaves machines unbootable, after encrypting files and requesting a large ransom. As some of the most valuable systems and data in a large enterprise might be on Linux systems, ransomware that can target Linux is a desirable tool for syndicates.


Once locked out of their machines, victims of this latest variant are asked to pay unusually high ransom demands – around $250,000. ​One reason for this exorbitant demand could simply be that the data targeted was deemed to be of a high enough value that victims would be willing to pay a high price to unlock it. However, the samples of KillDisk analyzed by researchers were found to contain no mechanism to send the file encryption keys to attacker infrastructure, suggesting that decryption would not be possible.


The high ransom amount and missing decryption process could suggest that the true purpose of attacks using the Linux KillDisk malware is to provide plausible deniability. KillDisk could be used in a cyber-sabotage attack with no intention of allowing for data recovery or merely a red herring for investigators after data theft has taken place. As such, victims may think that the attack is nothing more than a money-making exercise by criminals, when in fact they have been targeted for the information they hold.

So what can Linux users do to protect themselves from this new KillDisk variant?

While ESET reported that there are some weaknesses in the implementation of the Linux variant of KillDisk that may make it possible to recover data, Linux users should not rely on such flaws and should rather defend their infrastructure appropriately.


In addition to traditional efforts to patch and manage an enterprise network securely, there are several endpoint products now coming to market that aim to provide specific prevention and detection against ransomware through behavioral analysis.


Organizations should also implement good threat hunting capabilities to detect targeted attacks and lateral movement within a network, such as targeted compromises of endpoints with a view to move laterally to gain administrative access to Linux servers.


Finally, good backup procedures and disaster recovery strategies are required to allow timely and effective recovery in the event of data or system loss from ransomware or cyber-sabotage operations.