Kirk Ransomware | |
---|---|
![]() | |
Part of the ransom note | |
Classification | Ransomware |
Technical details | |
Written in | Python [1] |
Kirk Ransomware, or Kirk, [2] is malware. It encrypts files on an infected computer and demands payment for decryption in the cryptocurrency Monero. The ransomware was first discovered in 2017, by Avast researcher Jakub Kroustek. [2] [3]
Kirk Ransomware is a
trojan horse program that masquerades as
Low Orbit Ion Cannon, an application used for
stress testing and
denial-of-service attacks.
[1] Once activated, Kirk Ransomware searches the infected computer's hard drive for files with certain
filename extensions, and encrypts and renames them, adding .kirked
to the end of their filenames. When the encryption is finished, a window pops up, displaying an
ASCII art image of
Captain James T. Kirk and
Spock from
Star Trek: The Original Series, and informing the user that files have been "encrypted using military grade encryption." "SPOCK TO THE RESCUE!" the ransom note continues, and demands payment in order to receive a decryptor program named Spock.
[4]
[5] The ransom demanded is initially 50 Monero (worth about $1,175 as of March 2017);
[6] if not paid within 48 hours, the demand begins increasing, reaching 500 Monero after two weeks. If the ransom remains unpaid after 30 days, the decryption key is deleted, essentially rendering the encryption irreversible.
[6] The ransom note includes a spurious quotation from Spock ("Logic, motherfucker"), and ends with "
LIVE LONG AND PROSPER".
[1]
Kirk Ransomware is the first known ransomware to demand payment in Monero; most other ransomware has demanded bitcoins. [7] Monero has significantly greater privacy protection than bitcoin, making transactions much more difficult to trace. [2] [8]
A variant of Kirk Ransomware, named Lick Ransomware, was also discovered; it does not contain Star Trek references. [9]