Insane blackhats behind world's most expensive ransomware 'forget' to backup crypto keys

Only Linux victims can decrypt warped $247,000 BlackEnergy module - and then only maybe


Variants of the KillDisk data wiping malware, famous for nuking computers in Ukrainian energy utilities, is now being used in possibly the world's most expensive ransom attacks.

Attackers are targeting Windows and Linux desktops and servers and demanding a laughable 222 bitcoins (right now US$247,000) for the data to be returned.

No-one has paid; this is a good thing, even for victims laden with cash, since the attackers cannot decrypt files because encryption keys are not saved locally or transmitted to command and control servers.

"Let us emphasise that the cyber criminals behind this KillDisk variant cannot supply their victims with the decryption keys to recover their files, despite those victims paying the extremely large sum demanded by this ransomware," ESET researchers Robert Lipovsky and Peter Kalnai say.

The malware was first a module employed in 2015 attacks against Ukraine's Prykarpattya, Oblenergo, and Kyivoblenergo energy facilities.

It is distributed most often through phishing, the tactic used by its suspected Russian authors, and is capable of wrecking thousands of different file types.

Those attacks were "artistic", Lipovsky and Kalnai say, using iconography from the hacker hit show Mr Robot.

The ransomware message is splashed in the overwritten GRUB bootloader and apologises for encrypting files.

We're 'sorry', reads GRUB message.

While the KillDisk authors utterly failed in their bid to earn money from ransomware, they avoided encryption mistakes common to other blackhats in their use of Triple-DES applied to 4096-byte file blocks with each file using different 64-bit encryption key sets.

But they fell flat again opening a hole that lets Linux users decrypt files - with significant effort and some luck. Windows users have no such option at this stage.

"The recent addition of ransomware functionality seems a bit unusual, as previous attacks were cyber-espionage and cyber-sabotage operations," the researchers say.

"[It] seems more like a nail in the coffin, rather than a true ransomware campaign." ®

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • Cyberattack shuts down unemployment, labor websites across the US
    Software maker GSI took systems offline, affecting thousands of people in as many as 40 states

    A cyberattack on a software company almost a week ago continues to ripple through labor and workforce agencies in a number of US states, cutting off people from such services as unemployment benefits and job-seeking programs.

    Labor departments and related agencies in at least nine states have been impacted. According to the Louisiana Workforce Commission in a statement this week, Geographic Solutions (GSI) was forced to shut down state labor exchanges and unemployment claims systems, and as many as 40 states and Washington DC, all of which rely on GSI's services, could be affected.

    In a statement to media organizations, GSI President Paul Toomey said the Palm Harbor, Florida-based company "identified anomalous activity on our network," and took its services offline. Toomey didn't elaborate whether GSI was hit with ransomware or some other type of malware.

    Continue reading
  • Even Russia's Evil Corp now favors software-as-a-service
    Albeit to avoid US sanctions hitting it in the wallet

    The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

    You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.

    As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

    Continue reading
  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022