Kirk is a newly discovered ransomeware. It is similar in function to other ransomeware but its authors (presumably fans of Gene Rodenberry’s iconic TV series) have borrowed character names for the encryption and decryption components.
Two notable items related to Kirk are:
- The program is written in python which is quite uncommon for ransomware.
- The digital currency demanded for payment is Monero instead of bitcoin.
The Kirk ransomware targets 625 file types for encryption. These file types are listed below. Like most ransomware, Kirk demands payment from the victim to decrypt those files.
Targeted File Extensions:
How Kirk Ransomware Works
The Kirk ransomware masquerades as a program called “Low Orbital Ion Cannon” or LOIC, a well-known open source network stress tool.
The Kirk file “loic_win32.exe” is responsible for encryption process on the compromised system.
When it runs, the ransomware generates an AES key which is used to encrypt files on infected system. The same AES key then encrypts an embedded RSA-4096 public key. This encrypted key is saved in a file named “pwd” and file is placed in the same directory as executable.
After generating the encryption key the ransomeware displays a message box showing the same slogan as the LOIC network stress tool: “Low Orbital Ion Cannon | When harpoons, air strikes and nukes fail | v22.214.171.124.”
At this point, Kirk will begin the encryption process, starting with drive C, and adding the “.kirked” extension to each encrypted file name.
Kirk encrypts each of the file types listed above using the previously created AES encryption key and then appends the “.kirked” extension to the encrypted file’s name.
When encryption finishes it drops a ransom note in the same directory as the executable. It will also display the ransom note in a Window on the infected machine’s desktop.
Files associated with the Kirk Ransomware:
The Spock Decryptor
To decrypt files encrypted by Kirk, the victim must (obviously) purchase the Spock decryption tool. That tool is supplied when the user pays the ransom (from 50 ($1100) to 500 ($11000) Monero depending on how quickly the user pays).
The transaction is only possible using the Monero crypto currency. The method of payment and payment address is supplied in the ransom note. Failure to pay the ransom within one month will result in deletion of “pwd” key – without which data cannot be recovered.
Once the ransom has been paid the victim must send an email containing transaction id and pwd file email@example.com and/or firstname.lastname@example.org.