Star Trek-themed Kirk ransomware has Spock decryptor, demands ransom be paid in Monero

While you may want to live long and prosper, you don’t want to be “kirked”—an extension added to files encrypted by the new Star Trek-themed Kirk ransomware.

Kirk ransomware, which was discovered by Avast malware researcher Jakub Kroustek, doesn’t want the ransom to be paid in bitcoin. Bleeping Computer said it “may be the first ransomware to utilize Monero as the ransom payment of choice.”

It is not known how the ransomware is being distributed, but researchers know that Kirk ransomware masquerades as the Low Orbital Ion Cannon network stress tool; LOIC was once favored for denial of service attacks. The fake version sports the LOIC slogan, “When harpoons, air strikes and nukes fail,” and claims to be initializing once executed.

In reality, once executed, the ransomware generates an AES password that is encrypted with an RSA-4096 public encryption key, scans the C drive to encrypt specific extensions, and adds “.kirked” to the encrypted file name.

The ransomware note displayed shows an ASCII art image of Spock and Captain James. T. Kirk—the pictures are of the original Spock (Leonard Nimoy) and Kirk (William Shatner)—followed by: “Oh no! The Kirk ransomware has encrypted your files!”

Kirk ransomware, which was written in Python, currently targets 625 files types. The ransom note lists many popular file extensions, followed by: “There are an additional 441 file extensions that are targeted. They are mostly to do with games.” Some people might opt to pay to unlock their pictures, movies, music and Office documents, but Solitaire? When viewing the full list of targeted extensions via Bleeping Computer, you can see that the ransomware even targets the extension to encrypt Microsoft Spider Solitaire.

Victims who bow to the extortion and intend to pay the ransom are told to send 50 Monero to a Monero wallet. The value of Monero at the time of writing is $23.50595522, so the ransom is about $1,175. The ransom note says the time of infection was logged and payments received after 48 hours from the “time of infection will be charged double”—so roughly $2,350. The ransom price after 8-14 days is 200 Monero, or about $4,700. It’s 500 Monero 15-30 days after infection, or about $11,750. On day 31, the password decryption key is deleted.

Spock to the rescue

Once the ransom payment is made, victims will allegedly receive their “decrypted password file and program called Spock.” The ransom note says to run Spock to decrypt all files encrypted with Kirk ransomware.

As of right now, there are no known victims of the ransomware. Therefore, Bleeping Computer noted that researchers have yet to see a sample of the Spock decryptor and believe that “at this time the ransomware does not look like it can be decrypted;” researchers often try to release ransomware decryptors so victims have options other than pay or lose everything not backed up.

Once it is circulating in the wild and infecting victims, Bleeping Computer’s Lawrence Abrams noted:

If you plan on paying the ransom for the Kirk Ransomware, you must not delete the pwd file as it contains an encrypted version of your decryption key. Only the ransomware developer can decrypt this file and if a victim wishes to pay the ransom they will be required to send them this file.