back to article Insane blackhats behind world's most expensive ransomware 'forget' to backup crypto keys

Variants of the KillDisk data wiping malware, famous for nuking computers in Ukrainian energy utilities, is now being used in possibly the world's most expensive ransom attacks. Attackers are targeting Windows and Linux desktops and servers and demanding a laughable 222 bitcoins (right now US$247,000) for the data to be …

  1. Hans 1
    Windows

    >No-one has paid; this is a good thing, even for victims laden with cash, since the attackers cannot decrypt files because encryption keys are not saved locally or transmitted to command and control servers.

    >"Let us emphasise that the cyber criminals behind this KillDisk variant cannot supply their victims with the decryption keys to recover their files, despite those victims paying the extremely large sum demanded by this ransomware," ESET researchers Robert Lipovsky and Peter Kalnai say.

    Time will tell if anybody pays, sure, but there is no causality between blackhats being able to decrypt files and the victims paying up... victims will usually discover that the files cannot be decrypted after they have paid, I guess ... unless you expect the blackhats to be honest (ROFL) and admit they cannot decrypt files, which I find unlikely. They will cash-in and run off.

    1. Doctor Syntax Silver badge

      "unless you expect the blackhats to be honest (ROFL)"

      Not too much laughing, thank you. The whole ongoing scam relies on the marks having confidence that if they pay the ransom they'll get their files back. In may sound contradictory but their success depends on the unscrupulous being scrupulous.

      This is either a particularly stupid bunch of scammers or an attempt to yank the rug out from under the whole scam by destroying that confidence.

      1. Doctor Syntax Silver badge

        "This is either a particularly stupid bunch of scammers or an attempt to yank the rug out from under the whole scam by destroying that confidence."

        Second thoughts, they're playing a long game - drive the scam into the ground for now and come back in a couple of years time when the competition's out of business.

    2. Prst. V.Jeltz Silver badge

      the concept of Ransomware is that they *do* cough up the keys. Its the business model.

      Why wouldnt they give you the key? it dosent cost anything.

      If they never paid up people would learn never to pay.

      The story here is that these idiots have fked up the malware so they cant hand the keys over.

  2. Christoph

    So if nobody has paid, how do they know the files can't be decrypted? Analysis of all the software's functions?

    1. Destroy All Monsters Silver badge

      As if that were hard in cryptoshit.

      If there is no code to send out the keys and there is no code to store the keys, you know what's up.

    2. Bronek Kozicki
      Facepalm

      Analysis of all the software's functions?

      Well, since reverse engineering of malware is exactly what outfits such as ESET do all day long ...

  3. Yesnomaybe

    Sounds like...

    Sounds to me like someone wants to pretend they are doing it for the money, but really aren't. State/government people perhaps?

    1. Anonymous Coward
      Anonymous Coward

      Re: Sounds like...

      An interesting theory (I think) - would you care to expand on that?

      1. Cynic_999

        Re: Sounds like...

        It's not necessarily a government, but I can see that it could be someone who has done this in order to prevent further attacks by making people decide that there is no point in paying up because it won't get their data back. i.e. by poisoning the well.

        Publicly kill the hostages and you can ensure that nobody will pay the hostage-takers.

        1. IglooDude

          Re: Sounds like...

          Indeed, I'd think that the whitehats helping people with ransomware decryption could help just by getting the targets to claim (loudly) that they sent the money but did not get any decryption, and only the (gratis) whitehats decrypted their files.

          Lying sure, but for a very good cause: the destruction of the ransomware business model...

          1. DJ Smiley

            Re: Sounds like...

            Bitcoin is auditable - it's shown in the blockchain if anyone has paid (or in this case that no one has).

    2. Anonymous Coward
      Anonymous Coward

      Re: Sounds like...

      1) Wreck someone's shit.

      2) Pretend you are able to recover stuff if $$$ is paid

      3) ???

      4) Profit!

      It's as old as the invention of the state.

  4. Paul Crawford Silver badge

    Infection vector?

    The Windows variant use an Excel spreadsheet emailed to the victim (I think) but what is the route for the Linux version?

    1. Roland6 Silver badge

      Re: Infection vector?

      Also it is not clear whether the reason Linux users may have some success is because of the use of a non-NFS/FAT file system or some other reason.

      1. Sven Coenye

        Re: Infection vector?

        The method used to encrypt the files is different between the Linux and Windows flavors. There is apparently a blunder in the Linux version's code that allows for the encryption to be reversed, but no details.

    2. Sven Coenye

      Re: Infection vector?

      Going by the write-up at ESET, a complete root compromise is required, but 0 details and the links circlejerk into a 404 between the main site and the ESET blog site. Sounds like an early wolf call again because LINUKS FALLZ!!11One!!

  5. Anonymous Coward
    Anonymous Coward

    Google docs spreadsheet with Ransomware info

    I have a little list

    Check out the "Contributions" tab for origin info

    1. Prst. V.Jeltz Silver badge
      Black Helicopters

      Re: Google docs spreadsheet with Ransomware info

      call me Mr Paranoidy Pants , but I'm not going to open a mystery spreadsheet from an ugly looking url posted by an anonymous Coward , straight after being told this incurable encryption malware is propagated in a spreadsheet!

      1. Destroy All Monsters Silver badge
        Thumb Up

        Re: Google docs spreadsheet with Ransomware info

        Your reflexes are good.

        Myself, I verified whether the URL was referenced more than once before accessing and still the nagging thought remains that it would be a good vector.

        Yes, there is EcmaScript, but at least google docs stuff cannot run macro viruses in your browser (I think) so there is that. Anyway, QubesOS when??

        1. John H Woods

          Re: Google docs spreadsheet with Ransomware info

          "Anyway, QubesOS when??" -- Destroy All Monsters

          Errm? Right now. I opened the spreadsheet in a disposable VM in Qubes 3.2.

        2. Jamie Jones Silver badge

          Re: Google docs spreadsheet with Ransomware info

          Me? Not being a paranoid Daily Mail reader, or a paranoid tinhat wearer, or running windows, or linux, I just clicked on the link directly.

          Turns out that my browser doesn't have the access ability to scrub my network, fire abusive texts to my boss, or start world war 3. Who'd have thought it?

          Seriously, if you can only safely open links by going through a sandbox or temporary VM, you are either doing it wrong, or have the stupidest OS setup going, and should not be acceseing the internet with it in the first place.

          However, if you are just showboating, feeding overly paranoid advice to the populace doesn't help security, the grandstanding just muddies the water.

          One must believe you are either a daily mail hack, or an anti-virus writer..

          1. John H Woods

            Re: Google docs spreadsheet with Ransomware info

            "Seriously, if you can only safely open links by going through a sandbox or temporary VM, you are either doing it wrong, or have the stupidest OS setup going, and should not be acceseing the internet with it in the first place."

            I absolutely agree that it *should* not be the case that browsing to a link should be able to compromise your machine, but unfortunately, time and again, it has been shown to be possible, even with properly installed and maintained operating systems. Suggesting that people don't click on unknown links, at least without taking precautions, is hardly "overly paranoid advice" let alone "showboating" or "grandstanding."

            And where does the Daily Mail come into it?

          2. Crazy Operations Guy

            Re: Google docs spreadsheet with Ransomware info

            "Turns out that my browser doesn't have the access ability to scrub my network, fire abusive texts to my boss, or start world war 3. Who'd have thought it?"

            Every browser has those capabilities...

            *"Scrub the network": JavaScript can send custom-built packets out to your network and perform all the discovery it wants, or every modify files that your user account is capable of accessing.

            *"fire abusive texts to my boss": Every phone provider out there has a web-based SMS utility, a piece of malware could leverage a cross-site scripting bug to access your account and send texts to anyone

            *"start world war 3": This one is ridiculously easy, a state actor could leverage your system to proxy a connection through your machine back to their own to launch some type of weapon. The state could then declare that your country attempted to hack them cause war, which many countries would respond with a declaration of war after being accused of attempting to start one.

      2. Diginerd

        Re: Google docs spreadsheet with Ransomware info

        Paranoia <= Practical Defense...

        ...Options :-

        1) Open sketchy link in a disposable Sandbox VM

        2) Open sketchy link on iPhone/iPad (That is then promptly restored from a backup if you're up to "TinFoil headware is actually not a bad idea" level of paranoia)

        3) Point VirusTotal (https://www.virustotal.com) at the URL

        4) Go full crazy and click the link trusting that RegCommentards may have some level of decency / accountability should "A bad thing" (tm) happen...

  6. Stevie

    Bah!

    Why don't we just ask Donald Trump who these miscreants are?

    He seems to have his finger in the pie on the pulse.

    1. Destroy All Monsters Silver badge

      Re: Bah!

      Hillary, plz go.

  7. tiesx150

    These guys just did everyone a massive favour!

    If anything this tactic will kill this attack method variant dead in the water. The whole purpose of this type of scam is to fool the less tech savvy into parting with their cash to get their sh1t back but if this tactic continues and the general public begin to believe that they wont receive their precious wedding pics even IF they fork out a few hundred quid then the whole thing becomes a waste of time and the incentive/temptation to pay is removed from the equation.

    Well done you thick black hatters, this group of scum just toppled the whole cash pyramid. We just need Joe public to believe that they wont recover their files whether the pay or don't pay and then you have lost your revenue stream. Bring on a few more attacks just like this !

  8. casaloco

    They failed at step 1...

    They failed at step 1... make paying less hassle than recovering from backups.

    For Randsomware to be effective, the price needs to be about £50. That's the amount most people would pay in the hope of getting their data back. When you get beyond that it becomes less and less likely they will pay. Technical-ish people will have backups, non-technical people will trash the Malware and make the files unrecoverable trying to fix it. On top of this, the more you demand, greater the chances of law enforcement becoming involved.

    Essentially they need to target a price-point that is about the same as a years licence to a quality anti-virus/anti-malware suite.

    At £50, if people are reasonably sure they will get their files back, they will just pay.

    1. Craig 2

      Re: They failed at step 1...

      "Essentially they need to target a price-point that is about the same as a years licence to a quality anti-virus/anti-malware suite."

      Sounds like a bargain, at least the shitty AV won't have been slowing your PC down for a year before failing to protect you when you actually needed it.

  9. Anonymous Coward
    Linux

    Variants of the KillDisk data wiping malware

    "Variants of the KillDisk data wiping malware .. are targeting Windows and Linux desktops and servers"

    How exactly is the malware executed and caused to run on the Windows and Linux desktops and servers?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022