KillDisk, originally a malware variant designed to wipe data from hard drives, now includes ransomware capabilities. KillDisk was used previously by cyber-espionage groups such as the Sandworm gang to target and sabotage ICS and SCADA networks. In late 2016, it was used by the TeleBots gang to attack Ukrainian banks. In the Ukranian attack, KillDisk used the Windows Graphic Design Interface to create a picture that references a hacking group logo used in the TV series, Mr. Robot. There are two variants of KillDisk ransomware in the wild – one targets Windows and the other targets Linux. The Windows KillDisk variant encrypts each targeted file with an individual AES key and then encrypts the AES key with a public RSA-2048 key. It transmits encryption keys using the Telegram protocol. The Linux KillDisk variant encrypts targeted files using Triple-DES applied to 4096-byte file blocks and encrypts each file with a different set of 64-bit encryption keys, according to ESET researchers. The Linux variant does not communicate to its C2 servers via the Telegram protocol and it appends DoN0t0uch7h!$CrYpteDfilE to encrypted file names. After infection, the system will be unable to boot as the Linux variant overwrites the boot sector and uses the GRUB bootloader to display the ransom note. The ransom payment demand for both the Linux and the Windows version of KillDisk is 222 Bitcoin.

  •  CyberX provides more information about KillDisk here.
  • ESET provides more information on the KillDisk Linux variant here.
  • The NJCCIC is not currently aware of any free decryption tools for KillDisk.