The destructive KillDisk malware previously associated with attacks targeting industrial firms, was recently observed infecting Linux machines as well, ESET security researchers warn.
Previously, KillDisk was associated with the BlackEnergy actor, as researchers discovered it was one of the tools used by this actor to target Ukraine’s energy sector in late 2015 (though the malware wasn’t directly responsible for outages).
Already considered a major threat because it could wipe entire hard drives and render systems inoperable, KillDisk was recently observed adding encryption capabilities and behaving like ransomware. For that, the malware needed elevated privileges, registered itself as a service, and then killed various processes, although it avoided essential ones.
According to ESET, the malware is associated with a threat group dubbed TeleBots, which is believed to be an evolution of the Russia-linked BlackEnergy (Sandworm) group. The group supposedly targeted Ukraine’s financial sector with various tools, including a newer version of KillDisk set to become active after a specific period of time and to overwrite files that featured specific extensions.