Only Linux victims can decrypt warped $247,000 BlackEnergy module – and then only maybe
Variants of the KillDisk data wiping malware, famous for nuking computers in Ukrainian energy utilities, is now being used in possibly the world’s most expensive ransom attacks.
Attackers are targeting Windows and Linux desktops and servers and demanding a laughable 222 bitcoins (US$247,000) for the data to be returned.
No-one has paid; this is a good thing, even for victims laden with cash, since the attackers cannot decrypt files because encryption keys are not saved locally or transmitted to command and control servers.
“Let us emphasise that the cyber criminals behind this KillDisk variant cannot supply their victims with the decryption keys to recover their files, despite those victims paying the extremely large sum demanded by this ransomware,” ESET researchers Robert Lipovsky and Peter Kalnai say.
The malware was first a module employed in 2015 attacks against Ukraine’s Prykarpattya, Oblenergo, and Kyivoblenergo energy facilities.
It is distributed most often through phishing, the tactic used by its suspected Russian authors, and is capable of wrecking thousands of different file types.
Those attacks were “artistic”, Lipovsky and Kalnai say, using iconography from the hacker hit show Mr Robot.
The ransomware message is splashed in the overwritten GRUB bootloader and apologises for encrypting files.
We’re ‘sorry’, reads GRUB message.
While the KillDisk authors utterly failed in their bid to earn money from ransomware, they avoided encryption mistakes common to other blackhats in their use of Triple-DES applied to 4096-byte file blocks with each file using different 64-bit encryption key sets.
But they fell flat again opening a hole that lets Linux users decrypt files – with significant effort and some luck. Windows users have no such option at this stage.
“The recent addition of ransomware functionality seems a bit unusual, as previous attacks were cyber-espionage and cyber-sabotage operations,” the researchers say.
“[It] seems more like a nail in the coffin, rather than a true ransomware campaign.” ®
Sponsored: Customer Identity and Access Management