The Star Trek themed ransomware

On Friday a new strain of ransomware discovered by a security researcher at Avast

The Star Trek themed ransomware

'The most obvious is that all ransomware has, and will always have, a ransom note—and therein lies its Achilles’ heel. Unlike other forms of malware, ransomware always contains this one very distinguishable and easily detectable component. It must inform the victim of the attack, and provide instructions for paying the ransom'

The Avast malware researcher, Jakub Kroustek, discovered the Kirk Ransomware last week.

The latest ransomware is written in Python and may be the first ransomware to utilise Monero as the ransom payment of choice.

There are no known victims of this new strain of ransomware, according to Bleeping Computer.

However, there is no known way to decrypt it, so this will probably change.

>See also: The evolution of ransomware: what lies ahead?

The new ransomware disguises itself as the stress testing app Low Orbital Ion Cannon, and targets over 600 file types with RSA 4096-bit encryption.

The affected files will be renamed with the “.kirked” suffix – hence the title of this new ransomware strain.

“No crafty detection evasion is employed. It generates a single AES key for use in encrypting all files, which is encrypted with the public key and written to disk,” explained Webroot reverse engineer, Eric Klonowski.

“Files are encrypted with AES in CBC mode, are prepended with the file size and IV in plaintext, and are padded out to 16 bytes with spaces. The malware relies on the common PyCrypto libraries for all encryption.”

“The Kirk malware demonstrates that ransomware crypto can be effectively implemented in a few lines of code with relatively few weaknesses,” explained Klonowski.

Monero

For possibly the first time, victims of Kirk Ransomware may be required to pay via Monero.

Monero acts as an equivalent to Bitcoin – an anonymous and secure virtual payment system. This is an attractive option to criminal, who are using Bitcoin as their preferred payment system to extort money from victims through schemes, such as ransomware. If this extends to Monero it will likely leave victims more confused and unsure how to pay.

>See also: 6 steps to protect your company from crypto-ransomware attacks

Commenting on this, Engin Kirda, co-founder of Lastline said: “Ransomware, such as the Kirk malware, by its very nature, tips its hand with characteristics that make it predictable and recognisable.”

“The most obvious is that all ransomware has, and will always have, a ransom note—and therein lies its Achilles’ heel. Unlike other forms of malware, ransomware always contains this one very distinguishable and easily detectable component. It must inform the victim of the attack, and provide instructions for paying the ransom.”

“Security controls benefit from this and other predictable behaviours. Advanced malware protection tools can readily and accurately detect these activities as malicious and part of a ransom plot before files are frozen and ransoms demanded.”

Comments (0)