{ "id": "24cd03d2-2ccf-483a-a25e-b2aef2da3bd7", "created_at": "2026-04-06T00:12:22.225035Z", "updated_at": "2026-04-10T03:37:09.049058Z", "deleted_at": null, "sha1_hash": "e46f01b19ecb6fa577b9a377e35a68ba83099614", "title": "KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 79704, "plain_text": "KillDisk now targeting Linux: Demands $250K ransom, but can’t\r\ndecrypt\r\nBy Robert LipovskyPeter Kálnai\r\nArchived: 2026-04-05 15:03:01 UTC\r\nRansomware\r\nESET has discovered a Linux variant of the KillDisk component that renders Linux machines unbootable, while\r\nencrypting files and requesting a large ransom at the same time.\r\n05 Jan 2017  •  , 5 min. read\r\nESET researchers have discovered a Linux variant of the KillDisk malware that was used in Ukraine in attacks\r\nagainst the country’s critical infrastructure in late 2015 and against a number of targets within its financial sector\r\nin December 2016. This new variant renders Linux machines unbootable, after encrypting files and requesting a\r\nlarge ransom. But even if victims do reach deep into their pockets, the probability that the attackers will decrypt\r\nthe files is small.\r\nKillDisk – from wiping to encrypting\r\nKillDisk is a destructive malware that gained notoriety as a component of successful attacks performed by the\r\nBlackEnergy group against the Ukrainian power grid in December 2015 and attacks against one of the country’s\r\nmain news agencies in November 2015. More recently, we detected cyber-sabotage attacks utilizing KillDisk\r\nagainst a number of different targets within the financial sector in Ukraine planned for December 6, 2016. At that\r\ntime, a group, which we dubbed as TeleBots, had utilized a different set of tools, abusing the popular Telegram\r\nmessenger service.\r\nKillDisk attack campaigns continued throughout December, aimed at several targets in the sea transportation\r\nsector in Ukraine. The attack toolset has evolved as well – attackers now make use of Meterpreter backdoors and\r\nC\u0026C communication no longer travels through Telegram API.\r\nWhile the December 6th KillDisk variants were quite artistic and displayed a screen referring to the popular Mr.\r\nRobot show on television, recent variants add a more sinister feature – file-encrypting ransomware. The ransom\r\nmessage begins with a provocative “we are so sorry…” and demands that the victim pay an exceptionally high\r\nransom in return for the encrypted files – 222 Bitcoin, which is approximately USD 250,000 at the time of\r\nwriting.\r\nhttps://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt\r\nPage 1 of 5\n\nFigure 1 - Windows KillDisk ransom message\r\nThese recent ransomware KillDisk variants are not only able to target Windows systems, but also Linux machines,\r\nwhich is certainly something we don’t see every day. This may include not only Linux workstations but also\r\nservers, amplifying the damage potential.\r\nThe Windows variants, detected by ESET as Win32/KillDisk.NBK and Win32/KillDisk.NBL, encrypt files with\r\nAES (256-bit encryption key generated using CryptGenRandom) and the symmetric AES key is then encrypted\r\nusing 1024-bit RSA. In order not to encrypt files twice, the malware adds the following marker to the end of each\r\nencrypted file: DoN0t0uch7h!$CrYpteDfilE.\r\nFigure 2 - Linux KillDisk ransom message\r\nIn both Windows and Linux variants, the ransom message is exactly the same, including the ransom amount –\r\nBTC 222, Bitcoin address, and contact email.\r\nLinux/KillDisk.A technical analysis\r\nWhile the ransom details for both platforms are identical, the technical implementation is, obviously, different.\r\nThe ransom message is displayed in an unusual manner – within the GRUB bootloader. When the malware\r\nexecutes, the bootloader entries are overwritten in order to display the ransom text.\r\nhttps://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt\r\nPage 2 of 5\n\nThe main encryption routine recursively traverses the following folders within the root directory up to 17\r\nsubdirectories in depth:\r\n/boot\r\n/bin\r\n/sbin\r\n/lib/security\r\n/lib64/security\r\n/usr/local/etc\r\n/etc\r\n/mnt\r\n/share\r\n/media\r\n/home\r\n/usr\r\n/tmp\r\n/opt\r\n/var\r\n/root\r\nFiles are encrypted using Triple-DES applied to 4096-byte file blocks. Each file is encrypted using a different set\r\nof 64-bit encryption keys.\r\nFigure 3 - Code generating encryption keys in Linux/KillDisk.A\r\nAfter a reboot, the affected system will be unbootable.\r\nIt is important to note – that paying the ransom demanded for the recovery of encrypted files is a waste of time\r\nand money. The encryption keys generated on the affected host are neither saved locally nor sent to a C\u0026C server.\r\nLet us emphasize that – the cyber criminals behind this KillDisk variant cannot supply their victims with the\r\ndecryption keys to recover their files, despite those victims paying the extremely large sum demanded by this\r\nransomware.\r\nMoreover, ESET researchers have noted a weakness in the encryption employed in the Linux version of\r\nransomware, which makes recovery possible, albeit difficult. (Note that this does not apply to the Windows\r\nversion.)\r\nhttps://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt\r\nPage 3 of 5\n\nConclusion – why ransomware?\r\nWhile monitoring the BlackEnergy and TeleBots cyberattacks, we have observed an interesting evolution of the\r\nsimple but destructive KillDisk component. Over the years we’ve detected attack campaigns against many\r\ndifferent targets across various segments, including state institutions and critical infrastructure, many of them\r\nunrelated. The group (or groups) of attackers behind these operations has had an interest in various platforms –\r\nwhether it was Windows PCs controlling SCADA/ICS systems, or workstations in a media agency. With this latest\r\nexpansion, attackers can use KillDisk to destroy files on Linux systems. Nonetheless, any ties between\r\norchestrators of these attacks remain unclear and purely circumstantial.\r\nThe recent addition of ransomware functionality seems a bit unusual, as previous attacks were cyber-espionage\r\nand cyber-sabotage operations. Considering the high ransom of around USD 250,000 - resulting in a low\r\nprobability that victims would pay up, in addition to the fact that the attackers have not implemented an efficient\r\nway of decrypting the files, this seems more like a nail in the coffin, rather than a true ransomware campaign.\r\nWhatever the true explanation, our advice still holds – if you’ve become a victim of ransomware, don’t pay up,\r\nsince there’s no guarantee of getting your data back. The only safe way of dealing with ransomware is prevention\r\n– education, keeping systems updated and fully patched, using a reputable security solution, keeping backups and\r\ntesting the ability to restore.\r\nIndicators of Compromise (IoCs)\r\nSHA1 file hashes\r\nWin32/KillDisk.NBK trojan and Win32/KillDisk.NBL trojan:\r\n2379A29B4C137AFB7C0FD80A58020F5E09716437\r\n25074A17F5544B6F70BA3E66AB9B08ADF2702D41\r\n95FC35948E0CE9171DFB0E972ADD2B5D03DC6938\r\nB2E566C3CE8DA3C6D9B4DC2811D5D08729DC2900\r\n84A2959B0AB36E1F4E3ABD61F378DC554684C9FC\r\n92FE49F6A758492363215A58D62DF701AFB63F66\r\n26633A02C56EA0DF49D35AA98F0FB538335F071C\r\nLinux/KillDisk.A trojan:\r\n8F43BDF6C2F926C160A65CBCDD4C4738A3745C0C\r\nRansom message\r\nWe are so sorry, but the encryption\r\nof your data has been successfully completed,\r\nso you can lose your data or\r\npay 222 btc to 1Q94RXqr5WzyNh9Jn3YLDGeBoJhxJBigcF\r\nhttps://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt\r\nPage 4 of 5\n\nwith blockchain.info\r\ncontact e-mail:vuyrk568gou@lelantos.org\r\nSource: https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt\r\nhttps://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt" ], "report_names": [ "killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt" ], "threat_actors": [ { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434342, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e46f01b19ecb6fa577b9a377e35a68ba83099614.pdf", "text": "https://archive.orkl.eu/e46f01b19ecb6fa577b9a377e35a68ba83099614.txt", "img": "https://archive.orkl.eu/e46f01b19ecb6fa577b9a377e35a68ba83099614.jpg" } }