A new strain of ransomware named Kirk has been observed and analyzed by researchers. Kirk Ransomware targets 625 file types for encryption, and like most ransomware, it then demands payment from the victim to decrypt those files. But despite the similarities, Kirk isn’t your standard ransomware.
As of this writing, it remains unclear how Kirk is being distributed. It is known that Kirk disguises itself as the Low Orbital Ion Cannon, which is an open source network stress tool (or DDoS attack tool, depending on your intentions). Kirk Ransomware executable is named ‘loic_win32.exe,’ and when executed, it will generate an AES password that will be used for encryption. The AES key will then be encrypted and saved in a file called ‘pwd,’ which is saved in the same directory as ‘loic_win32.exe.’ When Kirk has finished encrypting the targeted files it finds on the local drive, it will create ‘Ransom_Note.txt’ in the same directory.
Kirk is the first strain of ransomware to require payment using Monero, which is an open source cryptocurrency that was launched a couple of years ago. It’s unknown why the Kirk team decided to use Monero rather than Bitcoin, which is more familiar to the public. Monero is known for being anonymous and untraceable, and is widely considered to be “the dark net’s cryptocurrency of choice.” Researchers have expressed concern that the use of Monero may create a point of confusion for victims unfamiliar with cryptocurrency. The criminals must think that confusion is worth it in exchange for the hyper-anonymity offered by Monero.
There is currently no decryptor for Kirk, save for the “Spock” decryptor that the Kirk criminals will provide upon payment. For technical details and screenshots, see the Bleeping Computer research here.
As with all ransomware, the best defense involves preventing the infection and protecting data that may be targeted. Barracuda has a handful of resources to help you follow best practices and align our solutions with your needs.