Slashdot Mirror
Destructive KillDisk Malware Turns Into Ransomware (securityweek.com)
wiredmikey writes from a report via SecurityWeek: A recently discovered variant of the KillDisk malware encrypts files and holds them for ransom instead of deleting them. Since KillDisk has been used in attacks aimed at industrial control systems (ICS), experts are concerned that threat actors may be bringing ransomware into the industrial domain. CyberX VP of research David Atch told SecurityWeek that the KillDisk variant they have analyzed is a well-written piece of ransomware, and victims are instructed to pay 222 bitcoins ($210,000) to recover their files, which experts believe suggests that the attackers are targeting "organizations with deep pockets." From the report: "The ransomware is designed to encrypt various types of files, including documents, databases, source code, disk images, emails and media files. Both local partitions and network folders are targeted. The contact email address provided to affected users is associated with Lelantos, a privacy-focused email provider only accessible through the Tor network. The Bitcoin address to which victims are told to send the ransom has so far not made any transactions. Atch pointed out that the same RSA public key is used for all samples, which means that a user who receives a decryptor will likely be able to decrypt files for all victims. According to CyberX, the malware requires elevated privileges and registers itself as a service. The threat terminates various processes, but it avoids critical system processes and ones associated with anti-malware applications, likely to avoid disrupting the system and triggering detection by security products."
My meme folders aren't worth $210,000!
Color me shocked.
222 BTC ~ 216K US dollars
and climbing fast
So can every KillDisk user upgrade now, to fix the deleted-files problem? Or does the ransom change need to be pulled by a bunch of different branch maintainers first?
"Believe me!" -- Donald Trump
Writing a program that encrypts files is pretty straightforward. Getting it to run on the victim's computer is the tricky bit. Can anyone provide more information about how the payload is delivered?
0.0.0.0 lelantos.org
0.0.0.0 srv70.putdrive.com
0.0.0.0 api.telegram.org
0.0.0.0 putdrive.com
0.0.0.0 telegram.org
0.0.0.0 smtp-mail.outlook.com
0.0.0.0 api.telegram.org
0.0.0.0 telegram.org
* Per source article(s) from https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html/ http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-ransomware-into-industrial-domain/ http://www.securityweek.com/destructive-killdisk-malware-turns-ransomware/ as this malware/botnet descends from others before it...
APK
P.S.=> Those are it's C&C's + other compromised sites/hosts/domains-subdomains & THIS IS THE 10th BOTNET HOSTS CONQUER IN THE PAST 2++ WEEKS - here's the others (many before it, but not as many as recently so fast & clustered together) https://news.slashdot.org/comments.pl?sid=10020701&cid=53529963/
These things all have the same solution: restore from your daily backup, which should not be pushed from the machine in question, and should be well tested for recoverability. Even for personal in-home computing, the refrain since the 1970's has been "make backups". If you are still not doing t his in 2016, you deserve what you get. It isn't just malicious hackers that are a threat, it's hardware failures, accidents, and more.
There is no reason to ever consider paying such ransom.
And also, secure your systems so it doesn't happen to you again in the future.
I get mails all the time that require me to rename z_p, piz, txt and whatever else to zip to open them because things are so locked down that the administrators can't even do their jobs to get security patches for their products due to some overzealous corporate firewall that tries to block any info from getting in. Try to loosen the rules and you're looking at a month spent on a change request that will probably never go anywhere. Some of them have somehow added their own vendors' sites to blocklists and not even public ones so we have no idea who to even appeal to. This is quite common in the military where some McAfee product will always be causing severe harm and I'm sure they pay out their rear ends for "support" that doesn't amount to anything. Or perhaps they suffer breakage based on ridiculous settings that got added to a STIG.
Hosts add speed (hardcodes/adblocks),
Trivial speed increase. Post benchmarks on a modern system and show how much you 'save'.
security (.../poisoned dns), reliability (dns down), & anonymity (requestlogs/trackers) natively.
Edge cases, at best.
Avg. page = big as Doom
from the article - "There's also the fact that we're no longer living in a world of PCs with 4MB of RAM, 33MHz processors, text-only BBSes and 33kbps modems – everything's scaled up, including the complexity and size of internet downloads."
& ads = 40% of it
No where in the linked article do they talk about advertisements. They say that images account for most of the size of a web page (1.4MB on average, of the 2.3MB average page size).
Hosts != ClarityRay blockable
Name one site that uses ClarityRay, detects a browser add-on and blocks it.
Less power/cpu/ram + IO use
Your own figures (quoted elsewhere) show that on even an average system, the difference in resource use is around 1-2%
Gets data via 10 security sites
But cannot tell when a given entry was added.
Verified by Malwarebytes' S. Burn
Link to a forum post that's locked to new users. No way to check or verify.
Try to reply without just restating your position, attacking me or demanding to know what I've done or devolving into name calling or childish 'I win' posts.
Bonus points if you show you've actually read and understood what you are replying to.
YT
Every increase helps Mr. "Eating your words" https://slashdot.org/comments.pl?sid=9986237&cid=53480147/
REAL attacks stalled by hosts & not 'edge' (hosts stop 10 botnets in 2++ weeks https://news.slashdot.org/comments.pl?sid=10020701&cid=53529963/ - this is YET another!
PROOF ads = up to 40% of a site's pages via bandwidth analysis http://www.silicon.co.uk/e-marketing/adblock-plus-adblocking-network-traffic-172245/
Gb's of RAM = DNS vs. Mb's = hosts? Dumb trying "%'ages"! Addons use more vs. hosts & do less too!
(You think people here =e STUPID to fall for weak "jedi mind tricks" when ORDERS OF MAGNITUDE are a difference?)
My program = best (hostsman != 64-bit & can't speed up fav site resolution securing you vs. DNS redirects)
U get 100mpg/100hp (hosts) OR don't (adblock) letting ads in to f you OR get 10mpg/10hp using other 'solutions' (full of security bugs/inefficiency (antivirus/locally installed DNS)).
APK
P.S.=> YOU've done better?
"I know of three popular sites that use ClarityRay-like scripts: WIRED, the INQUIRER, and The Atlantic. All three of them admit that they can't tell the difference between tracking blockers, such as Ghostery, Disconnect, and Firefox Private Browsing, from ad blockers" - by tepples ( 727027 ) on Wednesday December 28, 2016 @09:58PM (#53569297)
Detecting browser addons = trivial & here's the proof (dumping them via script) https://webdevwonders.com/detecting-firefox-add-ons/
Thus, If clarityray wants to detect ANY browser addons?? That's how EASY it is to block them!
Can't do that to hosts that way (not an addon running in SLOWER usermode clotting up browsers w/ messagepassing, ram/cpu & other forms of I/O overheads - hosts are kernelmode FASTER & do the job BEFORE addons work!)
APK
P.S.=> My other post annihilates "YeTi" easily POINT by "so-called 'point'" too, lol https://it.slashdot.org/comments.pl?sid=10053539&cid=53569549/
APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?...
Ads rob speed, security (malvertising) & privacy (tracking).
Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively.
Works vs. caps & PUSH ads.
Avg. page = big as Doom http://www.theregister.co.uk/2... & ads = 40% of it.
Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity.
Compliments firewalls (blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load).
Data via 10 security sites & 64-bit + hardcoded favs (hostsman isn't & can't).
APK
P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "seen the code & it's safe" http://forum.hosts-file.net/vi... )
Every increase helps
No. I use resources for results. Saving 60MB of RAM by turning of my extensions is not a 'saving'.
REAL attacks stalled by h0sts & not 'edge'
I'm calling your DNS protection (poisoned, down, request tracking) 'edge'. Learn to read.
and ... your file stopped a bunch of stuff. One of which you claim in the list was Stegano. Which went undetected for 2 years. Your 'solution' was useless and what kept you safe was preventing scripts from running. But you go ahead and gloss over that because it doesn't fit your narrative.
PROOF ads = up to 40% of a site's pages via bandwidth analysis
Do you _ever_ read anything you link to, or do you just skim?
The study looked at the effect of Adblock Plus (win for extensions!). The 40% figure was arrived at by considering video only. More, the page itself was not 40% ads (as you originally claimed). Looking at the study, the increase in sessions suggest that the ads were spawned as separate pages/connections.
Gb's of RAM = DNS
The last time you referenced this you seemed to link to a list of problems with Windows Server 2008 running a DNS server. Is this what you are talking about? I've run DNSmasq on routers with a total of 32MB or RAM. Orders of magnitude my ass.
You think people here =e STUPID to fall for weak "jedi mind tricks" when ORDERS OF MAGNITUDE are a difference
No. I don't think you are stupid, either. I do think you are obsessed and unable to argue rationally or evaluate evidence that contradicts the position you are so heavily invested in. OK, to be fair, I've just called you a crank.
My program = best
Yup and you've got the awards from a decade ago to prove it.
P.S.=> YOU've done better?
ad hominem. Fail.
YT
See subject "YeTi" & a link where I systematically annihilate u using "%" vs. orders of magnitude https://it.slashdot.org/comments.pl?sid=10053539&cid=53569549/
* You make australians look BAD!
Using 3 addons that use more cpu/ram & other forms of I/O in slower usermode that is EASILY determined & blocked https://it.slashdot.org/comments.pl?sid=10053539&cid=53569609/ vs. hosts that do far more for far less & you NATIVELY already have hosts (not "Bolting on 'MoAr'" stupidly)?
APK
P.S.=> You never seem to answer this question too: HOW DID IT TASTE "EATING YOUR WORDS" after you attacked me here stupid https://slashdot.org/comments.pl?sid=9986237&cid=53480147/ ?
Bit like the BITTER TASTE of SELF-defeat? Washing them down w/ YOUR FOOT IN YOUR MOUTH shoving them down?? LMAO!
Man - must be one hell of a case of indigestion (butthurt is more like it) that you keep coming to your dismay (let alone MALNUTRITION as "eating your words" != good nutrition - hopefully you die of starvation soon if not shame)... apk
You use bs: Hosts use many orders of magnitude less vs. addons & DNS. Using more = better (doing less)? Avg. 6mb hosts = FAR LESS vs. 64mb UBlock (or 128mb Adblock) & hosts do more for less.
Your "illogic logic" astounds, lol!
AVOIDING DNS avoids it's MANY issues (enumerated here by the 100's in efficiency & security bugs galore https://news.slashdot.org/comments.pl?sid=9007355&threshold=-1&commentsort=0&mode=thread&pid=51969075/ - they're NOT 'edge cases'!
THEY SURE GIVE HOSTS A "WINNING EDGE"!
My post in bandwidth analysis proves savings of 40% blocking ads & hosts do it better vs. addons (by far) doing more for less.
My work's seen awards _+ commercial code sale too to MS certified partners - & you?
APK
P.S.=> You're made me HAVE to say this (& I haven't done THIS in a long time):
This was just "too, Too, TOO EASY - just '2ez'"!
You did it to yourself...apk
See subject: Once listed you can block ANY extension! Can't w/ hosts thus - hosts != addon (& hosts do more for less by FAR vs. hosts & are inferior on nearly EVERY level imaginable including ability + efficiency w/ what you NATIVELY already have operating in far faster kernelmode (vs. slower usermode which addons compound even more in excessive ram/cpu & I/O use in messagepassing + more...)
Attack YOU? YOU attack ME 1st & "ate your words" for it here https://slashdot.org/comments.pl?sid=9986237&cid=53480147/
You keep trying it & FAIL!
(I bookmark EVERY time you do (I can't to you, you post ac (even though you have a "registered 'luser'" account on /.) - I have YET to attack you 1st - I just annihilate you w/ facts!)
APK
P.S.=> You're on your "last leg" limping badly (you did it to yourself) humiliating yourself. Try saying "Satan get thee behind me" & get that devil monkey OFF your back (so you stay off mine + save your own face)... apk
Scripts detect browser addons
Like the script blocker that's stopping them from running? Tell me how that works,again.
And you are still avoiding providing an example of ClarityRay in use. Tell me again how I'm failing.
(I bookmark EVERY time you do
I know. It's creepy. And then you claim that people stalk _you_.
I have YET to attack you 1st
Lie. I criticise your off-topic or 'spammy' posts. That's not attacking you. You, on the other hand, never fail to call me names, mock me, or wish that I were dead. That's attacking me. Not my arguments. Not my words or ideas. Me. I have not attacked you. I've attacked your ideas. I've attacked your posts. But not you. Do you understand? Can you read? Have you read this, or are you just skimming it so you can 'beat' me with some off-topic link or 'proof'?
There's a difference. It's important to me. Perhaps not so much with you.
facts!
Right. Like your 6 year old code snippet that only runs if I allow scripts that you offer as 'proof' when I ask for an example that ClarityRay is in use.
Yeah. Great work.
YT
60MB memory is trivial on a machine with 4GB RAM. You fail to address this and just keep parroting 'more for less'. Boring.
I can run DNSmasq on a router with 32MB of memory, but you keep going on about errors on Windows 2008. You don't even bother addressing this. Weak.
You didn't post a bandwidth analysis. You made a claim. It was exaggerated. You corrected and posted a summary of a study which looked at bandwidth. Which you still haven't read. And which recommended Adblock. Exaggeration. Citation fail.
DNS ... linking to a spam of other links that are an undifferentiated mess of everything you can find that has the word 'DNS' and 'problem' in it is neither an argument nor proof/disproof. I made specific criticisms of your position. I read, tried to understand and replied. If you cannot do the same, then there is little point in continuing this.
Another time, APK. We'll see if you are capable of a realy argument, yet.
YT
Don't use software written by a forum spammer who stalks anyone who criticizes his software or advertising methods. Do you really trust a closed source app that spends hours just sorting a list when there's plenty of open source solutions that do the exact same than much more quickly? What's with the virustotal results trumpeted out in every post? Trying to make people feel safe? Perhaps with only a few dozen users the malicious actions of your software havent been discovered yet? Why even risk it when there's better open source software out there anyway written ny people that won't stalk your forum posts with nonsense?
Do not reply to this post from a logged in account, APK will stalk you relentlessly with his delusional bullshit until you're forced to register a new account to escape the programmer version of Chris-Chan.
See subject: ~6mb (hosts) is FAR less than 151mb (adblock) or 64mb (ublock) or DNS (gigabytes) + hosts run in a FAR faster more cpu serviced level vs. usermode addons run in (kernelmode).
Routers are LOADED w/ errors &/or exploits galore too https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/
I didn't post a bandwidth savings analysis of 40%?? Bullshit I didn't http://www.silicon.co.uk/e-marketing/adblock-plus-adblocking-network-traffic-172245/ - that's what ads cost you & hosts blocks ads more efficiently & do more than addons BY FAR!
You got your ass handed to you on DNS issues galore (both in memory inefficiency & security issues too) https://news.slashdot.org/comments.pl?sid=9007355&threshold=-1&commentsort=0&mode=thread&pid=51969075/
APK
P.S.=> There won't be another time - You are OUT of time & annihilated by documented facts I produce in favor of hosts... apk
See subject: Hosts stop ads stopping adscript sources before NoScript runs (how ads work https://news.ycombinator.com/item?id=10221859/ parsing page tags (tons more effort/resources expended in CPU + RAM to do so stupid) - hosts do it 1 step in fast kernelmode (not slow usermode like addons).
Tepples gave examples & I show how clarityray workshttps://it.slashdot.org/comments.pl?sid=10053539&cid=53569609/ (using script to detect addons - can't do it to hosts - hosts != browser addon).
I bookmark when you start w/ me - you're sado-masochist bringing beatings on yourself - I blow you away easily.
My posts on hosts = on topic. Your bs isn't (see below).
APK
P.S.=> I don't WISH you dead - you KILL YOURSELF for me attacking ME 1st (I can't you as you post unidentifiable ac though you HAVE an acct here weasel) & you EAT YOUR WORDS for it https://slashdot.org/comments.pl?sid=9986237&cid=53480147/ doing it to yourself DYING of malnutrition... apk
See subject: Do addons? No. You stalk me as can be seen earlier above as you post anonymous unidentifiably.
OpenSores mistake Google & EFast (chrome doppleganger abused for malicious purposes) is NOT for me (for idiots like you, yes - not me but I actually have a good working app others here like & use - do you? No).
Per my subject: THIS IS THE 10th BOTNET HOSTS STOPPED IN ~ a WEEK https://news.slashdot.org/comments.pl?sid=10020701&cid=53529963/
* I post verifiable concrete & undeniable proofs of my program's safety to defend myself vs. loons like yourself. Nothing wrong w/ that (everything RIGHT is with it).
(My program is 100% safe & FREE too outperforming addons (inefficient &/or crippled) + dns/routers (both either crippled or loaded with inefficiency + security issues)
APK
P.S.=> You're a serious LOON who likes taking a beating he administers on himself & not all your "gossip fake news" bs weasels like YOU try will never EVER win vs. myself using documented facts to let you destroy yourself (as you EAT YOUR WORDS that way vs. me https://slashdot.org/comments.pl?sid=9986237&cid=53480147/ ... apk
Let me guess. The operating system affected is Windows?
See subject & https://it.slashdot.org/comments.pl?sid=10053539&threshold=-1&commentsort=0&mode=thread&pid=53567893/ + a tool that's blocked 10 botnets this past week or so https://news.slashdot.org/comments.pl?sid=10020701&cid=53529963/ including THIS one per the 1st link above...
* Lastly too, of course? What stops all those other botnets + MANY more from the past https://it.slashdot.org/comments.pl?sid=10053539&cid=53569639/
APK
P.S.=> Why do I do it? Like the original "TERMINATOR" film?? I'm here to help you - I'm Reese: Sgt. TechComm VN38416 assigned to protect you... YOU'VE BEEN TARGETTED FOR TERMINATION! & the more of you that stay clean, less chance of you 'spreading the disease' of these botnet machinations... apk
See subject: Nearest = hostsman - not 64-bit & can't do hardcoded fav sites speeding you up + securing you vs. DNS security issues galore!
Plus, it's got dependencies on SQLite (mine doesn't - I wrote the code myself) doing it's dedups - it gets a bug? Hostsman's fucked until they get an update... untrue for MY work vs. hostsman. I can patch MY own multithreaded single .exe design work fast (& users can 'patch ' edit hosts easily using text editors even).
* You've done better "YeTi'? Hell no... lol!
(I don't like cutting down hostsman this way but YOU force it & it is nothing but fact/truth...)
APK
P.S.=> What YOU do vs. me EVERY SINGLE TIME YOU TROLL ME (& you always instigate this like a sado-masochist)? You "EAT YOUR WORDS" chump https://slashdot.org/comments.pl?sid=9986237&cid=53480147/
See subject & all the links I posted in the reply of mine you responded to asking your question (you'll find them in there).
* It's a DAMN shame that 'good' companies (or CLOUD for years now for instance) get abused thus - makes for a bad name for them (happens to many sites, even sourceforge, whiplash's other site sister to /.)
It was some 'digging' for me but per my other "terminator" posts earlier in keeping w/ that theme?
"Very hard to spot - I had to wait until he moved on your so I could 'zero' him...
They don't make things like that yet? No, the FUTURE is truly, now... each botnet gets more 'clever' each iteration ala:
"The terminator's an infiltration unit - part man, part machine: Underneath it's a HYPER-ALLOY combat chassis. Microprocessor controlled - fully armored, very tough... the 600 series had rubber skin, we spotted them easy"
&
"LISTEN & UNDERSTAND: That terminator is OUT there - it can't be bargained with, it can't be reasoned with! It doesn't feel pity or remorse or fear & it absolutely WILL NOT STOP, ever... until YOU are dead!"
APK
P.S.=> So, "I'm here to help you: I'm Reese - Sgt. TechCom VN38416 assigned to protect you... YOU'VE BEEN TARGETTED FOR TERMINATION!"... apk
"Can u stop it?" answer = "With these weapons?" I do know vs. 10 botnets recently https://news.slashdot.org/comments.pl?sid=10020701&cid=53529963/ + this week++ alone & TONS MORE over years now... via hosts (which is what MOST malware/botnets use vs. IP addresses). :)
* Pats self on back (& those providing the data in the security community)
APK
P.S.=> LOL - hope you liked my other posts' "terminator" replies (especially after I 'terminated' good ole' unidentifiable anonymous troll "YeTi" all day long easily in most replies here w/ tepples' assist)... apk
See subject - in keeping w/ my 'terminator' replies to you https://it.slashdot.org/comments.pl?sid=10053539&cid=53572131/ & others earlier... lol!
* Imo, it truly fits...
APK
P.S.=> Picture what Kyle Reese does to the 'terminator' in the bar scene w/ his shotgun blasts - that's what my posts DO to botnets galore (10 this week alone https://news.slashdot.org/comments.pl?sid=10020701&cid=53529963/ & many more in the past - just not as 'clustered/concentrated' as this week's been)... apk
Thank you, experts, for informing us that the type of people targeted by a demand for a rather large amount of money are those with deep pockets. I thought they were hitting up low income housing for $210k just to be assholes.
Chris-chan! That's it!
I knew I recognised this behaviour from somewhere else.
Damn. Then it's probably not something that is ever going to change. Congenital, not just deeply rooted.
YT
See subject & see YOU do it absolutely "LiVe" in concert, lol https://slashdot.org/comments.pl?sid=9986237&cid=53480147/ Gonna downmod "hide" it again too?
"Sure, sure it's not you" (man of a 1,000 faces/sockpuppets & unidentifiable trolling/stalking me even when you HAVE a "registered 'luser'" FAKE NAME for your FAKE LIFE account!)
APK
P.S.=> Come on Mr. Bernays, lol - don't worry, I've got a BETTER technique now than merely technically annihilating you @ every turn - now it's "Cardinal Richelieu" time for you - I'm gonna have a FIELDDAY on you boy & best part is, you did it to yourself constantly trolling me & failing, lol... apk
"YeTi" how'd it taste "eating your words"? lol
See subject & see YOU do it absolutely "LiVe" in concert, lol https://slashdot.org/comments.pl?sid=9986237&cid=53480147/ Gonna downmod "hide" it again too?
APK
P.S.=> Come on Mr. Bernays, lol - don't worry, I've got a BETTER technique now than merely technically annihilating you @ every turn - now it's "Cardinal Richelieu" time for you - I'm gonna have a FIELDDAY on you boy & best part is, you did it to yourself constantly trolling me & failing, lol... apk
See subject pussy: You keep KILLING YOURSELF for me from the start of YOU stalking me stupid https://slashdot.org/comments.pl?sid=9986237&cid=53480147/ & your tech screwups do the rest!
* Thank you for committing suicide for us all to enjoy!
APK
P.S.=> You pitiful little weasel... apk