A new ransomware variant named ‘Kirk’ after popular Star Trek character James. T. Kirk recently hit the cybersecurity scene. Like most forms of ransomware, Kirk Ransomware immediately starts encrypting a victim’s files once the malware has been installed. Besides the Star Trek theme, the most interesting characteristic of Kirk Ransomware is the currency demanded for the ransom payment, Monero.
How Does Kirk Ransomware Work?
It’s currently unknown how the Kirk Ransomware is being distributed. However, it is known that it is camouflaged as the network stress tool called Low Orbital Ion Cannon. When executed, Kirk will generate an Advanced Encryption Standard (AES) password that is used to encrypt a victim’s files. The AES key will then be encrypted by a public encrypted key and saved in a file called ‘pwd’ in the same directory as the ransomware executable. It’s important to note here that if you have been infected with Kirk Ransomware and plan on paying the ransom, you must not delete the ‘pwd’ file as it contains an encrypted version of your decryption key. Only the developer of Kirk can decrypt this file, and if a victim wishes to pay the ransom, they will be required to send them this file.
Once the encryption process has taken place, Captain Kirk and another Star Trek character, Mr. Spock, will appear with the ransom demand (see image below).
As we mentioned previously, the most interesting characteristic about the Kirk Ransomware is the currency that’s demanded for the ransom payment. Monero is an open-source cryptocurrency launched in April of 2014 with a focus on privacy. Monero has gained in popularity over the last year after the major darknet market AlphaBay adopted it at the end of summer in 2016. While the Monero currency has been seen with other forms of cyber attacks, it’s believed that Kirk Ransomware is the first ransomware to use it. Currently, victims are instructed to purchase $1,100 in Monero currency. Instructions are provided on the ‘Spock to the Rescue!’ decryption page, that we see above. Fortunately, the developers of the ransomware are leaving victims with some words of wisdom; “Live Long and Prosper.”