March 17, 2017
Boldly going where no man has gone before, the Kirk Ransomware brings so much nerdy goodness to the table that it could make anyone in IT interested. We have Star Trek, Low Orbital Ion Cannons, a cryptocurrency payment other than Bitcoin, and a decryptor named Spock! Need I say more?
Discovered today by Avast malware researcher Jakub Kroustek, the Kirk Ransomware is written in Python and may be the first ransomware to utilize Monero as the ransom payment of choice.
At this time there are no known victims of this ransomware and it does not appear to be decryptable. For those who want to discuss this ransomware or receive updates about it, they can subscribe to our Kirk Ransomware Support & Help topic.
Kirk Ransomware uses Monero for Ransom Payments
Ever since Monero was released, it has been highly touted as a more secure and anonymous payment system than Bitcoin. This has caused underground criminal sites, like AlphaBay, to accept it as payment and for criminals to mine it using mining Trojans. It was only a matter of time until ransomware developers started requesting it.
For possibly the first time, with the release of Kirk Ransomware, Monero has been introduced as a ransom payment. The problem is that this is only going to confuse victims even more. Even with Bitcoin becoming more accepted, it is still not easy to acquire them. By introducing a new cryptocurrency into the mix, victims are just going to become more confused and make paying ransoms even more difficult.
How the Kirk Ransomware Encrypts a Computer
While it is not currently known how the Kirk Ransomware is being distributed, we do know that it is masquerading as the network stress tool called Low Orbital Ion Cannon. Currently named loic_win32.exe, when executed Kirk Ransomware will now generate a AES password that will be used to encrypt a victim's files. This AES key will then be encrypted by an embedded RSA-4096 public encryption key and saved in the file called pwd in the same directory as the ransomware executable.
Below is the current embedded RSA key used to encrypt the victim's encryption key.
Kirk Ransomware will now display a message box that displays the same slogan as the LOIC network stress tool. This slogan is: "Low Orbital Ion Cannon | When harpoons, air strikes and nukes fail | v126.96.36.199".
Fake Low Orbital Ion Cannon Alert
At this point, the ransomware infection will begin to scan the C: drive for files that have certain file extensions. At the time of this writing, Kirk Ransomware targets 625 file types, which are listed at the end of the article.
If a matching file is detected, it will encrypt it using the previously created AES encryption key and then append the .kirk extension to the encrypted file's name. For example, a file called test.jpg would be encrypted and renamed to test.jpg.kirk.
When the ransomware finishes encrypting the files it will drop a ransom note called RANSOM_NOTE.txt in the same folder as the executable. It will also display the ransom note in a Window on your desktop. A full version of the ransom note can be see at the end of the article.
The Spock Decryptor
This wouldn't be a Star Trek themed ransomware without Spock. The developer agrees as they have named the decryptor "Spock" and it will be supplied to the victim once a a payment is made.
At this time we have not seen a sample of the decryptor, so cannot provide more info regarding it.
As previously said, unfortunately at this time the ransomware does not look like it can be decrypted. For those who want to discuss this ransomware or receive updates about it, they can subscribe to our Kirk Ransomware Support & Help topic.
Files associated with the Kirk Ransomware:
Targeted File Extensions:
Ransom Note Text:
Full version of the Ransom Note: