Last Thursday, the Avast researcher Jakub Kroustek uncovered a ransomware program titled Kirk. The infection pays a tribute to the Star Trek fantasy series.
Upon entering a vulnerable device, Kirk ransomware proceeds to encrypt the user’s personal files. It was found that the virus could lock 625 different file types. The infected objects have the .kirked file extension appended to their names.
When the encryption process has been completed, Kirk ransomware notifies the victim about the occurrence through a couple of messages. The program opens a window, containing a code scheme. The symbols are aligned in a pattern to create a rendered image of the patron character.
The virus drops a copy of a file titled RANSOM_NOTE.txt in every folder which contains encrypted data. This file contains instructions on what the victim is required to do to have his data recovered.
The decrypter for Kirk rasnomware is called Spock. The utility has the same design scheme as the virus, minus the face of the corresponding character. The tool has been confirmed to be functional.
The technical characteristics of Kirk ransomware
Kirk ransomware has been written on Python. The virus uses LOIC (Low Orbit Ion Cannon) in its attacks. This is an open source network stress testing application which is often implemented when conducting DDoS (distributed denial of service) attacks.
Kirk ransomware actually masquerades as the LOIC utility. When the infection starts its installation process, it displays a message which states that LOIC is initializing. The pop-up contains a mistake in the title which victims can use as a sign to identify the virus.
The encryption is performed using a combination of RSA-4096 and AES algorithms. The AES cipher generates a unique key which locks the vulnerable objects. The key is then encrypted using the RSA algorithm and saved in a file called pwd. This file is stored in the same directory as the ransomware executable.
To be eligible to receive the Spock decryption tool, the user has to pay a ransom of around $1,100 USD. The sum is to be paid in the Monero cryptocurrency. The cyber criminals have registered a payment address which is listed in the ransom note.
After completing the transaction, the victim has to contact the hackers per email. The sender needs to list the transaction ID in the message to prove that the payment has been made. The pwd file needs to be attached to the letter. The owners of Kirk ransomware have provided a couple of email accounts in the ransom note: kirk.help@scryptmail.com and kirk.payments@scryptmail.com.
The creators of Kirk ransomware seem to be people who think outside the box. Their program is the first encryption virus to accept payments in the Monero cryptocurrency. Furthermore, the Python language is not commonly used for writing ransomware. Time will tell how strong the code of the program is.
