A recently discovered variant of the KillDisk malware encrypts files and holds them for ransom instead of deleting them. Since KillDisk has been used in attacks aimed at industrial control systems (ICS), experts are concerned that threat actors may be bringing ransomware into the industrial domain.
Previous versions of KillDisk wiped hard drives in an effort to make systems inoperable, but a new variant observed by industrial cyber security firm CyberX encrypts files using a combination of RSA and AES algorithms. Specifically, each file is encrypted with an individual AES key and these keys are encrypted using an RSA 1028 key stored in the body of the malware.
CyberX VP of research David Atch told SecurityWeek that the KillDisk variant they have analyzed is a well-written piece of ransomware. The code is similar to earlier samples and its functionality is nearly the same.
The ransomware is designed to encrypt various types of files, including documents, databases, source code, disk images, emails and media files. Both local partitions and network folders are targeted.
Victims are instructed to pay 222 bitcoins ($210,000) to recover their files, which experts believe suggests that the attackers are targeting “organizations with deep pockets.” The contact email address provided to affected users is associated with Lelantos, a privacy-focused email provider only accessible through the Tor network. The Bitcoin address to which victims are told to send the ransom has so far not made any transactions.
Atch pointed out that the same RSA public key is used for all samples, which means that a user who receives a decryptor will likely be able to decrypt files for all victims.
According to CyberX, the malware requires elevated privileges and registers itself as a service. The threat terminates various processes, but it avoids critical system processes and ones associated with anti-malware applications, likely to avoid disrupting the system and triggering detection by security products.