How to Protect Yourself from KillDisk Attack on Ubuntu

For quite some time it’s been believed that ransomware seldom affects machines running Linux and even FreeBSD for that matter. Unfortunately, the KillDisk ransomware has now attacked a handful of Linux-powered machines, and it seems like even distributions that hash out the root account such as Ubuntu and its various official spins could be vulnerable. Certain computer scientists have expressed the opinion that many security threats that influenced Ubuntu somehow compromised some aspect of the Unity desktop interface, but this threat can harm even those using KDE, Xfce4, Openbox or even the completely virtual console-based Ubuntu Server.

Naturally the good common sense rules apply to fighting this type of a threat. Don’t access suspicious links in a browser and make sure to perform a malware scan on files downloaded from the Internet as well as those from email attachments. This is especially true for any executable code you’ve downloaded, though programs that come from the official repositories receive a digital signature to reduce this threat. You should always make sure to use a text editor to read the content of any script before you run it. On top of these things, there are a few specific steps you can take to protect your system from the form of KillDIsk that attacks Ubuntu.

Method 1: Hash Out the root Account

Ubuntu’s developers made a conscious decision to hash out the root account, and while this hasn’t proven totally capable of stopping this type of attack, it’s one of the primary reasons it’s been slow to harm systems. It’s possible to restore access to the root account, which is common for those who are using their machines as servers, but this does have serious consequences when it comes to security.

Some users might have issued sudo passwd and then given the root account a password they could actually use to log in from both graphical and virtual consoles. To immediately disable this functionality, use sudo passwd -l root to eliminate the root login and put Ubuntu or the spin you use back to where it was originally. When you’re asked for your password, you’ll need to actually enter your user password and not the special one that you gave to the root account, assuming that you were working from a user login.

Naturally, the best method involves never having used sudo passwd to begin with. A safer way to handle the issue is to use sudo bash to get a root account. You will be asked for your password, which again would be your user and not root password, assuming you only have one user account on your Ubuntu machine. Keep in mind that you could also get a root prompt for other shells by using sudo followed by the name of said shell. For instance, sudo tclsh creates a root shell based on a simple Tcl interpreter.

Make sure to type exit to get out of a shell once you’re done with your administration tasks, because a root user shell can delete any file on the system regardless of ownership. If you’re using a shell like tclsh and your prompt is simply a % sign, then try whoami as a command at the prompt. It should tell you exactly who you’re logged in as.

You could always use sudo rbash as well to access a restricted shell that doesn’t have as many features, and therefore provides less of a chance to cause damage. Keep in mind that these work equally well from a graphical terminal you open in your desktop environment, a full-screen graphical terminal environment or one of the six virtual consoles that Linux makes available to you. The system can’t distinguish between these different options, which means you’ll be able to make these changes from standard Ubuntu, any of the spins like Lubuntu or Kubuntu or an installation of Ubuntu Server without any graphical desktop packages.

Method 2: Check if the root Account has an Unusable Password

Run sudo passwd -S root to check if the root account has an unusable password at any time. If it does, then it will read root L in the returned output, as well as some information about the date and time the root password was closed out. This generally corresponds to when you installed Ubuntu, and can be safely ignored. If it instead reads root P, then the root account has a valid password, and you need to lock it out with the steps in Method 1.

If the output of this program reads NP, then you even more imperatively need to run sudo passwd -l root to fix the issue, since this indicates that there isn’t a root password at all and anyone including a script could get a root shell from a virtual console.

Method 3: Identifying a Compromised System from GRUB

This is the scary part, and the reason that you always need to make backups of your most important files. When you load the GNU GRUB menu, generally by pushing Esc when booting your system, you should see several different boot options. However, if you see a message spelled out where they would be, then you may be looking at a compromised machine.

Test machines compromised with the KillDisk program read something like:

*We are so sorry, but the encryption

of your data has been successfully completed,

so you can lose your data or

The message will go on to instruct you to send money to a specific address. You should reformat this machine and reinstall Linux on it. Do not reply to any of KillDisk’s threats. Not only does this only help the individuals running these kinds of schemes, but also the Linux version program actually doesn’t properly store the encryption key because of a bug. This means that there’s no way around it, even if you were to give in. Just make sure to have clean backups and you won’t have to worry about being a position like this.

Kevin Arrows
Kevin is a dynamic and self-motivated information technology professional, with a Thorough knowledge of all facets pertaining to network infrastructure design, implementation and administration. Superior record of delivering simultaneous large-scale mission critical projects on time and under budget.

Expert Tip

How to Protect Yourself from KillDisk Attack on Ubuntu

If the issue is with your Computer or a Laptop you should try using Restoro which can scan the repositories and replace corrupt and missing files. This works in most cases, where the issue is originated due to a system corruption. You can download Restoro by clicking the Download button below.

Download Now

I'm not interested