Next-Generation Technologies & Secure Development
Star Trek Ransomware Boldly Encrypts
Experts Warn: Don't Let Ransomware Live Long and ProsperWith ransomware attackers having already launched attack code with themes ranging from Pokémon Go and horror movies to Hitler and cats, it was only a matter of time before they decided to beam Star Trek's Captain James T. Kirk direct to would-be victims' PCs.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
Witness the debut of the trekker-tastic Kirk ransomware, first discovered by malware researcher Jakub Kroustek at security firm Avast.
Victims will know their PC has been encrypted by the ransomware in part because their files will have ".kirked" added as an extension, Kroustek says, noting that the attack code is designed to encrypt 625 different types of file extensions, "even Solitaire save games."
This is interesting! #Ransomware made by Trekkie - #Kirk ransomware & #Spock decryptor. Payments in #Monero. #Python https://t.co/ZvTYPHaSOb pic.twitter.com/eV8i1Sj4qQ
— Jakub Kroustek (@JakubKroustek) March 16, 2017
Kroustek also says that the same attack code is also circulating as part of what's being called Lick ransomware.
Spock to the Rescue
It's not clear how the Kirk ransomware is getting distributed, or if there have been any victims to date. As noted by anti-ransomware site Bleeping Computer, however, the ransomware masquerades as the free distributed denial-of-service attack tool Low-Orbit Ion Canon, or LOIC.
The Kirk ransomware ransom note says that anyone who pays to recover their files will receive, appropriately enough, a Spock decryptor.
Some would-be users might not be old enough to remember LOIC's 2010 debut, when the Anonymous collective began urging people to take up digital arms as part of the pro-WikiLeaks "Operation Payback," in part by downloading and aiming LOIC at sites run by such organizations as MasterCard, PayPal and Visa. Many LOIC users, however, apparently didn't realize that the tool wasn't designed to mask their IP addresses, which many of the victim organizations duly recorded. These packet-capture logs got shared with law enforcement agencies and arrests of alleged users shortly ensued.
Attacker Seeks Monero
Unusually, the Kirk ransomware seeks payment via a type of cryptocurrency known as Monero. The ransom note demands 50 monero, currently worth about $1,200, to decrypt all files. If users don't pay for 48 hours, it begins increasing the ransom demand. "In 31 days your password decryption key gets permanently deleted," it warns.
Monero, aka XMR, claims to be more private and difficult to trace than bitcoin. Monero got a boost last year, when the operators of the darknet marketplace Alphabay announced on Reddit that as of Sept. 1, 2016, they would begin allowing Monero deposits and withdrawals.
"Following the demand from the community, and considering the security features of Monero, we decided to add it to our marketplace," they wrote.
Cryptocurrency Market Capitalizations
Don't Count on Spock
The Kirk ransomware random note ends: "Live long and prosper."
But security experts and law enforcement agencies recommend that, whenever possible, victims shouldn't help ransomware attackers prosper. In particular, they advocate never paying ransoms, because it incentivizes attackers to continue their cybercrime research and development.
Instead, experts recommend organizations maintain secured, offline backups of files, so affected systems can be wiped and restored.