A piece of malicious software called KillDisk, infamously known for wiping files on a hard drive and corrupting it afterwards, is now equipped with a ransomware component, giving it the ability to lock up a victim"s computer and demand money.
KillDisk was developed by a gang calling themselves "TeleBots," a group which is also behind a backdoor trojan of the same name, and responsible for a cyber-attack that sabotaged Ukrainian companies in 2016. Aside from this, Ukrainian banks have also been targeted, using malicious email attachments that contain the trojan.
Once important data from infected systems have been collected, KillDisk will then be deployed, subsequently destroying and replacing system files, as well as modifying file extensions. At this point, with the damage being done, this will render the computer unbootable, as well as hide the identity of the attacker.
And now, to make matters even worse, as KillDisk is mainly functioning as ransomware, and as Bleeping Computer puts it, it makes it much easier to cover the cybercriminals" tracks when they market themselves as ransomware, covering up the TeleBots backdoor trojan.
"Targets would think they suffered a mundane ransomware infection, and they wouldn"t go looking for the TeleBots backdoor or other data exfiltration malware. Targets would restore from backup or pay the ransom and move on, trying to avoid the bad publicity."
However, it"s not that easy to get important files back and move on; KillDisk demands 222 bitcoins from the affected user, which is equal to roughly $215,000. Also, KillDisk employs a strong encryption, by encrypting each file with an AES key, and then encrypting the AES key with an RSA-1028 key. This practically makes decryption more difficult than the usual ransomware.
At this point, there is still no known way to decrypt infected files. The only way to set them free is to contact the developers of the malware, pay the demanded money, and finally receive the key needed.
Source: Bleeping Computer | Hard drive image via Shutterstock