The latest KillDisk ransomware variant renders Linux machines unbootable after an attack. Unlike infected Windows systems, the ransom message for Linux machines is displayed within the GRUB bootloader. After KillDisk is executed, the bootloader entries are overwritten to display the ransom message. After a reboot, the infected system becomes unbootable.
Victims are not advised to pay ransom in hope of decrypting the encrypted files because the encryption keys are neither saved locally nor sent to a command-and-control (C&C) server.