The malware author of a new strain of ransomware has taken inspiration from Star Trek, going where not many have gone before to release a new malware family called Kirk ransomware, themed after the cult television show.
First discovered by Avast cybersecurity research Jakub Kroustek, the malware includes a number of Star Trek and SciFi references. Written in Python, the ransomware is likely to be the first-known strain to accept Monero as the ransom payment of choice.
Bleeping Computer reports that there are no known victims of this new variant of ransomware, yet. Just as pertinently, the report also claims that Kirk ransomware is, as it stands, not decryptable.
While the ransomware’s distribution channels are currently unknown, researchers discovered that Kirk Ransomware is disguising itself as a network stress tool called Low Orbital Ion Cannon.
When executed as loic_win32.exe, the Kirk Ransomware generates an AES password used to encrypt a total of 625 targeted file types on a victim’s machine. The AES is then encrypted by an embedded RSA-4096 public encryption key before it is saved in a file called pwd, included in the ransomware executable’s directory.
Affected files are appended with the .kirked extension to the encrypted file’s name.
“No crafty detection evasion is employed. It generates a single AES key for use in encrypting all files, which is encrypted with the public key and written to disk,” explained Webroot reverse engineer, Eric Klonowski.
Furthermore, the ransomware strain demands payments in Monero, an alternative cryptocurrency that is more privacy-oriented than the more popular Bitcoin.
The ransom note, displayed in a window on the victim’s desktop demands over $1,000 worth of Monero to be sent to an enclosed MOnery address. Once payment is made, the malware developer supplies the decryptor, aptly named “Spock” to the victim.
“Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer,” the ransom note reads before inexplicably adding:
Live Long and Prosper.
The complete version of the ransom note can be found below:
Image credit: Pixabay.