Spock, Kirk, Star in Ransomware

Tuesday, March 21, 2017 @ 11:03 AM gHale

New ransomware features a Star Trek theme and focuses on 625 different file types, researchers said.

The threat is dubbed Kirk and is paired with a decryptor called Spock, referencing to two characters in the Star Trek television and movie series.

New Ways to Hide Ransomware
Ransomware Hit 61% of Companies
MacOS Ransomware Decryption Tool Issued
Ransomware’s Plan of Attack

Discovered by Avast malware researcher Jakub Kroustek, the new malware is in Python and uses Monero as the payment currency of choice, according to BleepingComputer.

Monero is an open-source cryptocurrency launched April 18, 2014 with a focus on privacy that started seeing increased popularity only last year, after major darknet market AlphaBay adopted it at the end of summer 2016.

Most ransomware attacks usually demand Bitcoin.

Kirk ransomware’s distribution channels aren’t clear at the moment.

Upon execution, the ransomware generates an AES key used to encrypt a victim’s files, after which it encrypts the key using an embedded RSA-4096 public encryption key and saves it in a file called pwd in the same directory as the ransomware executable.

Only the attackers are able to decrypt this file and reveal the encryption AES key, and Kirk ransomware victims should make sure they don’t delete it. The attackers apparently ask for this file to be able to provide the victims with the needed decryptor.

Kirk ransomware displays a message box showing the same slogan as the LOIC network stress tool: “Low Orbital Ion Cannon | When harpoons, air strikes and nukes fail | v1.0.1.0.” In the background, the ransomware searches the hard drive for files to encrypt. It targets 625 file types, encrypts them and appends the .kirk extension to the encrypted file’s name.

The malware drops a ransom note in the same folder as the executable and displays it in a window on the desktop. Users are instructed to purchase around $1,100 worth of Monero and send it to a specific address. After making the payment, the victim should send the pwd file and the payment transaction ID to the kirk.help@scryptmail.com or kirk.payments@scryptmail.com email addresses.

The Spock decryptor then goes out to the victim after payment.

Leave a Reply

You must be logged in to post a comment.