Home > Remove Linux Killdisk Ransomware
How To Remove Linux KillDisk Ransomware From Computer? How To Remove Linux KillDisk Ransomware From Computer?
Malware,Ransomware | 01/23/2018

How To Remove Linux KillDisk Ransomware From Computer?

KillDisk ransomware now attacks Linux operating system and after it encrypts the files there is no going back by no means the victim would be able to recover access to their files as Linux messes the encryption key that's not all, there is a catch to it read the article below for more information and methods you can adapt to prevent any malware from infecting your system.

Experts have found a Linux version of the KillDisk ransomware, which is another addition to the KillDisk wiper malware family, previously used just to disrupt organizations by haphazardly erasing information and adjusting documents. 

Seven days after experts at CyberX discovered features of a ransomware in the KillDisk variant, ESET discovered this ransomware and after testing its behavior it was found that this ransomware targets Linux systems.

Linux version messes the encryption key

As per the ESET analysts, the way this KillDisk ransomware version takes a shot at Windows and Linux is totally different, with the greatest issue being that on Linux, KillDisk doesn't save the encryption key anyplace on the system or on the web.

Generally, this would imply that victims could never have the capacity to decrypt documents since the encryption key would be lost promptly after the encryption procedure closes.

Fortunately, ESET scientists say they've revealed an imperfection in the Linux variation that allows them to regain the encrypted records. A similar deficiency does not exist in the Windows-targeted version of this ransomware.


KillDisk ransomware, Windows version

The KillDisk ransomware variation that aims Windows operating system worked by encrypting every file by an AES-256 algorithm and afterward encrypting the AES keys with an open RSA-1028 key.

The private RSA key stored on the criminal's server allows them to decrypt the victim's files, but only after the victims paid a huge ransom of 222 Bitcoin (around $215,000). You can see the screenshot of the ransom note left behind in the Windows version below

ransom note

Criminals got the encryption keys on their servers by means of the Telegram protocol, utilized for the eponymous IM talk application. Along these lines, CyberX named the administrators of this ransomware crusade as the TeleBots gathering.

KillDisk ransomware, Linux version

The Linux variation spotted by ESET scientists earlier this week is altogether different from the Windows version.

Above all else, the Linux version does not converse with its Control and Command Centre by means of the Telegram API any longer. The encryption is additionally unique.

As demonstrated by specialists, the victim's "documents are corrupted employing Triple-DES connected to 4096-byte file blocks," and "every file is encrypted with a different kit of 64-bit encryption keys."

The Linux version targets these subsequent folders, at a depth of 17 subfolders, encrypting all files and adding the "DoN0t0uch7h!$CrYpteDfilE" extension.

Folder affected

The KillDisk Linux ransomware will use the GRUB bootloader to display the ransom note by rewriting the user's boot sector.

The ransom note of the Linux version is an exact replica of the one shown in the Windows version, including the email address through which victims can reach out to the cybercriminals.

ransom note GRUB

Before adapting the ransomware pattern, KillDisk had been used only in cyber-spying and cyber-obstruction operations.

Ransomware features used as a decoy?

In all assaults, Black Energy had utilized KillDisk to exterminate PCs and delete proof of their assaults, executed with other malware families.

The recently included ransomware highlights might be another approach to cover their assaults, with organizations supposing they may have been hit by ransomware, and not explore the gaps for other predictions.

The ransomware's immense payment request likewise plays in with this situation as it's crazy to assume that an organization may pay this much to recuperate their encrypted data.

The TeleBots gang may be hoping that companies would give up on their data, and this would skip all the possibilities of any other signs of the group's invasions.

Tips to Prevent Ransomware and other malware from Infecting Your System:

  1. Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update. By doing this you can keep your device free from virus. According to the survey, outdated/older versions of Windows operating system are an easy target.
  2. Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
  3. Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection. Thus always backup important files regularly on a cloud drive or an external hard drive.
  4. Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like  McAfee or a good Malware Removal Tool like Download Free Virus RemovalTool
  5. Enable your popup blocker: Install a powerful ad- blocker for  ChromeMozilla, and IE.

Are your devices Secure?

Best Anti-Malware program in 2018

Download now downloads time: less than 1 minute
Is this page helpful?

Also on How To Remove It