Destructive KillDisk Malware Turns Into Ransomware

wiredmikey writes from a report via SecurityWeek: A recently discovered variant of the KillDisk malware encrypts files and holds them for ransom instead of deleting them. Since KillDisk has been used in attacks aimed at industrial control systems (ICS), experts are concerned that threat actors may be bringing ransomware into the industrial domain. CyberX VP of research David Atch told SecurityWeek that the KillDisk variant they have analyzed is a well-written piece of ransomware, and victims are instructed to pay 222 bitcoins ($210,000) to recover their files, which experts believe suggests that the attackers are targeting "organizations with deep pockets." From the report: "The ransomware is designed to encrypt various types of files, including documents, databases, source code, disk images, emails and media files. Both local partitions and network folders are targeted. The contact email address provided to affected users is associated with Lelantos, a privacy-focused email provider only accessible through the Tor network. The Bitcoin address to which victims are told to send the ransom has so far not made any transactions. Atch pointed out that the same RSA public key is used for all samples, which means that a user who receives a decryptor will likely be able to decrypt files for all victims. According to CyberX, the malware requires elevated privileges and registers itself as a service. The threat terminates various processes, but it avoids critical system processes and ones associated with anti-malware applications, likely to avoid disrupting the system and triggering detection by security products."

Yet another damn update

[Cajun Hell]

So can every KillDisk user upgrade now, to fix the deleted-files problem? Or does the ransom change need to be pulled by a bunch of different branch maintainers first?

Re:

[CaptainDork]

This is the price of mass technical illiteracy.

No.

This is the price of mass technical incompetence in the business space (not the technical staff).

Businesses don't want to, and don't have to, pay upfront for best-practice implementations that IT departments have been asking for, for years.

Blaming the user is a cheap cop-out.

It's a fucking computer. It has the ability to be predictive and "mentally" read the intentions of malware and say:

STOP! This action is not coming from the operator via user interface. It will encrypt data files and that action is no

Re:

[fbobraga]

because things are so locked down that the administrators can't even do their jobs to get security patches for their products due to some overzealous corporate firewall that tries to block any info from getting in.

Wrong: this is caused by a poor desktop O.S. (that, up to a recent past, made a simple user account administer the entire system without the "hassle" that use another user account...) - know what O.S. I'm talking about here?

Re:

[fbobraga]

This is quite common in the military

Not all military use only Microsoft software (ops, got it: you are talking about U.S. as if they're the entire world, huh?)

Re:

[fbobraga]

Ora, ora, we have a Xeroque Romes here!

Re:

[khz6955]

"Writing a program that encrypts files is pretty straightforward. Getting it to run on the victim's computer is the tricky bit. Can anyone provide more information about how the payload is delivered?"

That's because KillDisk [socprime.com] only runs on Microsoft Windows. Which must never be mentioned in relation to Windows.

Re:

[tepples]

Post benchmarks on a modern system

To avoid "no true Scotsman" fallacies, please define "modern" first. I tried to use Google Search to find benchmark results, but "hosts" kept bringing up web hosting, and "APK" kept bringing up Android packages that can be installed through Unknown sources. The best I could find was this question on Super User [superuser.com].

Name one site that uses ClarityRay, detects a browser add-on and blocks it.

I know of three popular sites that use ClarityRay-like scripts: WIRED, the INQUIRER, and The Atlantic. All three of them admit that they can't tell the difference between tracking blockers, such as Gh

Re:

[fbobraga]

Wow: so many info from Anonymous Cowards!

Re:

[fbobraga]

0.0.0.0 api.telegram.org [...] 0.0.0.0 api.telegram.org 0.0.0.0 telegram.org

what is the relation of Telegram whit this KillDisk?

Re:

[fbobraga]

An unhelpful AC! It's a bot?

Re:

[FrankHaynes]

These things all have the same solution: restore from your daily backup, which should not be pushed from the machine in question

If the backup is not "pushed" from the machine in question, then how is the backup created?

Or do you mean don't backup the infected/ransomed machine AFTER it has been infected?

Re:

[knorthern knight]

>> These things all have the same solution: restore from your daily backup, which should not be
>> pushed from the machine in question

> If the backup is not "pushed" from the machine in question, then
> how is the backup created?

The Windows machine grants read access to a remote backup machine (linux/bsd/whatever) on the network. The remote machine reads the current file version and backs it up. Note that *THE WINDOWS MACHINE MUST NOT HAVE WRITE ACCESS TO THE BACKUP MACHINE*. An infected Win

Re:

[tepples]

Until you discover that your backups are also infected.

Re:

[knorthern knight]

> Until you discover that your backups are also infected.

That's what *VERSIONING BACKUP SOFTWARE* is for.

Re:

[tepples]

This fails in two ways. First, particularly sophisticated ransomware has in the past managed to infect the device running the versioning backup software and corrupt old versions. Second, what fraction of home users can be trusted to install and run versioning backup software correctly?

Ya don't say

[rebelwarlock]

Thank you, experts, for informing us that the type of people targeted by a demand for a rather large amount of money are those with deep pockets. I thought they were hitting up low income housing for $210k just to be assholes.