A Star Trek themed ransomware named Kirk written in Python targeting 625 different file types has emerged and the attacker are demanding ransom to be paid in virtual currency Monero. The threat is paired with a decryptor called Spock in reference to the characters in Star Trek Kirk and Spock. Monero is an open-source cryptocurrency launched on April 18,2014 with focus on Privacy. Kirk has been recognized as the first kind of a ransomware to demand Monero instead of bitcoins.
The ransomware generates an AES key which is used to encrypt the victim’s files and encrypts the key using embedded RSA-4096 public encryption key. It saves it in a file called pwd in the same directory as the executable. The attackers alone can decrytpt the file and advise the victims not to delete the file to be able to provide the decryptor.
Kirk ransomware displays a message box showing the same slogan as the LOIC network stress tool: “Low Orbital Ion Cannon | When harpoons, air strikes and nukes fail | v220.127.116.11.”, and meanwhile searches the hard drive for files to encrypt. It targets a total of 625 file types, encrypts them and appends the .kirk extension to the encrypted file’s name leaving a ransom note in the same folder as the executable and displays in a window on the desktop. Users are then instructed to purchase around $1,100 worth of Monero and send it to a specific address. After making the payment, the victim should send the pwd file and the payment transaction ID to the email@example.com or firstname.lastname@example.org email addresses.The Spock decryptor is supposedly sent to the victim after the payment is made.
Also right now there are no known victims and the file is not yet decryptable.