Slashdot Mirror
Destructive KillDisk Malware Turns Into Ransomware (securityweek.com)
wiredmikey writes from a report via SecurityWeek: A recently discovered variant of the KillDisk malware encrypts files and holds them for ransom instead of deleting them. Since KillDisk has been used in attacks aimed at industrial control systems (ICS), experts are concerned that threat actors may be bringing ransomware into the industrial domain. CyberX VP of research David Atch told SecurityWeek that the KillDisk variant they have analyzed is a well-written piece of ransomware, and victims are instructed to pay 222 bitcoins ($210,000) to recover their files, which experts believe suggests that the attackers are targeting "organizations with deep pockets." From the report: "The ransomware is designed to encrypt various types of files, including documents, databases, source code, disk images, emails and media files. Both local partitions and network folders are targeted. The contact email address provided to affected users is associated with Lelantos, a privacy-focused email provider only accessible through the Tor network. The Bitcoin address to which victims are told to send the ransom has so far not made any transactions. Atch pointed out that the same RSA public key is used for all samples, which means that a user who receives a decryptor will likely be able to decrypt files for all victims. According to CyberX, the malware requires elevated privileges and registers itself as a service. The threat terminates various processes, but it avoids critical system processes and ones associated with anti-malware applications, likely to avoid disrupting the system and triggering detection by security products."
So can every KillDisk user upgrade now, to fix the deleted-files problem? Or does the ransom change need to be pulled by a bunch of different branch maintainers first?
"Believe me!" -- Donald Trump
This is the price of mass technical illiteracy.
No.
This is the price of mass technical incompetence in the business space (not the technical staff).
Businesses don't want to, and don't have to, pay upfront for best-practice implementations that IT departments have been asking for, for years.
Blaming the user is a cheap cop-out.
It's a fucking computer. It has the ability to be predictive and "mentally" read the intentions of malware and say:
STOP! This action is not coming from the operator via user interface. It will encrypt data files and that action is not allowed on this computer. This computer is locked. Notify the IT department.
A lot of malware comes to us from phishing where executables are wrapped in .zip files attached to an email.
How fucking hard is it to allow ONLY administrators to open a .zip that has a .scr, .bat, .exe, .com (continue common list here)?
I have to think of everything.
It little behooves the best of us to comment on the rest of us.
These things all have the same solution: restore from your daily backup, which should not be pushed from the machine in question
If the backup is not "pushed" from the machine in question, then how is the backup created?
Or do you mean don't backup the infected/ransomed machine AFTER it has been infected?
slashdot: A failed experiment.
Post benchmarks on a modern system
To avoid "no true Scotsman" fallacies, please define "modern" first. I tried to use Google Search to find benchmark results, but "hosts" kept bringing up web hosting, and "APK" kept bringing up Android packages that can be installed through Unknown sources. The best I could find was this question on Super User.
Name one site that uses ClarityRay, detects a browser add-on and blocks it.
I know of three popular sites that use ClarityRay-like scripts: WIRED, the INQUIRER, and The Atlantic. All three of them admit that they can't tell the difference between tracking blockers, such as Ghostery, Disconnect, and Firefox Private Browsing, from ad blockers.
Until you discover that your backups are also infected.
"Writing a program that encrypts files is pretty straightforward. Getting it to run on the victim's computer is the tricky bit. Can anyone provide more information about how the payload is delivered?"
That's because KillDisk only runs on Microsoft Windows. Which must never be mentioned in relation to Windows.
Wrong: this is caused by a poor desktop O.S. (that, up to a recent past, made a simple user account administer the entire system without the "hassle" that use another user account...) - know what O.S. I'm talking about here?
Not all military use only Microsoft software (ops, got it: you are talking about U.S. as if they're the entire world, huh?)
Ora, ora, we have a Xeroque Romes here!
what is the relation of Telegram whit this KillDisk?
Wow: so many info from Anonymous Cowards!
An unhelpful AC! It's a bot?
Thank you, experts, for informing us that the type of people targeted by a demand for a rather large amount of money are those with deep pockets. I thought they were hitting up low income housing for $210k just to be assholes.
>> These things all have the same solution: restore from your daily backup, which should not be
>> pushed from the machine in question
> If the backup is not "pushed" from the machine in question, then
> how is the backup created?
The Windows machine grants read access to a remote backup machine (linux/bsd/whatever) on the network. The remote machine reads the current file version and backs it up. Note that *THE WINDOWS MACHINE MUST NOT HAVE WRITE ACCESS TO THE BACKUP MACHINE*. An infected Windows machine can encrypt anything it has write access to. It's not just the local hard drive or a USB key in a USB port. A samba or nfs ahare on a linux or bsd machine is designed to emulate a local hard drive. That includes writing to it, if given the necessary permission.
> Or do you mean don't backup the infected/ransomed machine AFTER it has been infected?
That's what *VERSIONING BACKUPS* are for. It's not a new idea. Ask any software developer about git, subversion, mercurial, etc. They can go back to a snapshot at a specific point in time. E.g. if a developer updates a program, and discovers... oh bleep; the update makes it crash on startup on other peoples' machines... then they can "revert" the update and go back to the previous working version. Similarly, if the latest backup of your important spreadsheet is encrypted, the versioning backup can step back to the latest non-encrypted version.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
> Until you discover that your backups are also infected.
That's what *VERSIONING BACKUP SOFTWARE* is for.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
This fails in two ways. First, particularly sophisticated ransomware has in the past managed to infect the device running the versioning backup software and corrupt old versions. Second, what fraction of home users can be trusted to install and run versioning backup software correctly?