Linux is a commonly used operating system on servers within large enterprises, especially in the financial sector, but now a variant of the KillDisk malware that was used in attacks against Ukraine in late 2015 and late 2016 has been discovered targeting Linux.
The high ransom amount and missing decryption process could suggest that the true purpose of attacks using the Linux KillDisk malware is to provide plausible deniability. KillDisk could be used in a cyber-sabotage attack with no intention of allowing for data recovery or merely a red herring for investigators after data theft has taken place. As such, victims may think that the attack is nothing more than a money-making exercise by criminals, when in fact they have been targeted for the information they hold.
So what can Linux users do to protect themselves from this new KillDisk variant?
While ESET reported that there are some weaknesses in the implementation of the Linux variant of KillDisk that may make it possible to recover data, Linux users should not rely on such flaws and should rather defend their infrastructure appropriately.
In addition to traditional efforts to patch and manage an enterprise network securely, there are several endpoint products now coming to market that aim to provide specific prevention and detection against ransomware through behavioral analysis.
Organizations should also implement good threat hunting capabilities to detect targeted attacks and lateral movement within a network, such as targeted compromises of endpoints with a view to move laterally to gain administrative access to Linux servers.
Finally, good backup procedures and disaster recovery strategies are required to allow timely and effective recovery in the event of data or system loss from ransomware or cyber-sabotage operations.
Categories