Euro Security Watch with Mathew J. Schwartz

Anti-Malware , Technology

Star Trek Ransomware Boldly Encrypts Experts Warn: Don't Let Ransomware Live Long and Prosper
Star Trek Ransomware Boldly Encrypts
Ransom note. (Source: Jakub Kroustek)

With ransomware attackers having already launched attack code with themes ranging from Pokémon Go and horror movies to Hitler and cats, it was only a matter of time before they decided to beam Star Trek's Captain James T. Kirk direct to would-be victims' PCs.

See Also: Three and a Half Crimeware Trends to Watch in 2017

Witness the debut of the trekker-tastic Kirk ransomware, first discovered by malware researcher Jakub Kroustek at security firm Avast.

Victims will know their PC has been encrypted by the ransomware in part because their files will have ".kirked" added as an extension, Kroustek says, noting that the attack code is designed to encrypt 625 different types of file extensions, "even Solitaire save games."

Kroustek also says that the same attack code is also circulating as part of what's being called Lick ransomware.

Spock to the Rescue

It's not clear how the Kirk ransomware is getting distributed, or if there have been any victims to date. As noted by anti-ransomware site Bleeping Computer, however, the ransomware masquerades as the free distributed denial-of-service attack tool Low-Orbit Ion Canon, or LOIC.

Kirk ransomware ransom note extract. (Source: Jakub Kroustek)

The Kirk ransomware ransom note says that anyone who pays to recover their files will receive, appropriately enough, a Spock decryptor.

Some would-be users might not be old enough to remember LOIC's 2010 debut, when the Anonymous collective began urging people to take up digital arms as part of the pro-WikiLeaks "Operation Payback," in part by downloading and aiming LOIC at sites run by such organizations as MasterCard, PayPal and Visa. Many LOIC users, however, apparently didn't realize that the tool wasn't designed to mask their IP addresses, which many of the victim organizations duly recorded. These packet-capture logs got shared with law enforcement agencies and arrests of alleged users shortly ensued.

Attacker Seeks Monero

Unusually, the Kirk ransomware seeks payment via a type of cryptocurrency known as Monero. The ransom note demands 50 monero, currently worth about $1,200, to decrypt all files. If users don't pay for 48 hours, it begins increasing the ransom demand. "In 31 days your password decryption key gets permanently deleted," it warns.

If executed, the ransomware begins encrypting 625 different file types on a victim's PC while masquerading as LOIC. Source: Jakub Kroustek

Monero, aka XMR, claims to be more private and difficult to trace than bitcoin. Unlike bitcoin, it also has no hardcoded block size limit, meaning that in theory an infinite amount of Monero could be mined.

Monero got a boost last year, when the operators of the darknet marketplace Alphabay announced on Reddit that as of Sept. 1, 2016, they would begin allowing Monero deposits and withdrawals.

"Following the demand from the community, and considering the security features of Monero, we decided to add it to our marketplace," they wrote.

Cryptocurrency Market Capitalizations

Source: Coinmarketcap, March 20, 2017.

Don't Count on Spock

The Kirk ransomware random note ends: "Live long and prosper."

But security experts and law enforcement agencies recommend that, whenever possible, victims shouldn't help ransomware attackers prosper. In particular, they advocate never paying ransoms, because it incentivizes attackers to continue their cybercrime research and development.

Instead, experts recommend organizations maintain secured, offline backups of files, so affected systems can be wiped and restored.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network