A cyber-criminal who obviously watches way too much television has gone where many have gone before and rolled out a new malware family called Kirk ransomware.
Kirk’s creators did have a sense of humour when putting together their scheme. The malware, which was uncovered by Avast cyber researcher Jakub Kroustek, contains a short list of Star Trek and SciFi references that any TV junkie/hacker would admire. In addition to naming the code after the captain of the USS Enterprise, the decryptor that is supplied once payment is made is dubbed Spock, according to Bleeping Computer.
In addition, there is a reference to a Low Orbital Ion Canon, which not only satisfies the geeks out there, but is also a real type of network stress tool.
There has not yet been any reported incidences of Kirk, which is written in Python, in the wild, but on (mixed metaphor alert) the dark side of the situation the malware has the potential to be dangerous as no decryptor is available, except for the one offered by the criminals. Webroot reverse engineer Eric Klonowski said his firm classified Kirk as malicious on 7 March.
Bleeping Computer founder Lawrence Abrams also noted that the cyber-criminals are using the Monero digital currency instead of the more popular Bitcoin, which he believes is a first for this type of attack.
Since the Kirk ransomware has not been officially spotted in the wild nor have any victims come forward, Abrams told SC Media, its distribution method is still unknown. However, once in a system it cloaks itself as a Low Orbital Ion Canon stress tool, and uses a fake Low Orbital Ion Canon alert to confuse the victim. The ransomware then executes creating an AES password, which in turn, is encrypted by an embedded RSA-4096 encryption key and stored in the system for later use.
“The Kirk malware demonstrates that ransomware crypto can be effectively implemented in a few lines of code with relatively few weaknesses,” Klonowski said, adding that “New flavours of ransomware are nothing new, we’ve seen ransomware that brands itself as PAC-MAN, Breaking Bad, etc. Generally, these don’t proliferate and aren’t very serious in the grand scheme of things.”
Abrams wrote that it’s important to not delete this key as it has to be forwarded to the bad guys for the decryption system to work.
The files are then encrypted and the ransom note appears, which keeps up the theme by containing images of Kirk and Spock. The cyber-criminals’ ransom demand starts at 50 Monero or about US$1,100 with the amount doubling every few days topping out at 1100 Monero after two weeks. The victim is told if the ransom is not paid within 30 days the key will be deleted and the data irretrievable.
The note does contain instructions to regain access to the files using the Spock decryptor.
Possibly the biggest flaw with Kirk is its use of Monero.
“The problem is that this is only going to confuse victims even more. Even with Bitcoin becoming more accepted, it is still not easy to acquire them. By introducing a new cryptocurrency into the mix, victims are just going to become more confused and make paying ransoms even more difficult,” Abrams wrote.