A new strain of ransomware named Kirk has been observed and analyzed by researchers. Kirk Ransomware targets 625 file types for encryption, and like most ransomware, it then demands payment from the victim to decrypt those files. But despite the similarities, Kirk isn’t your standard ransomware.
As of this writing, it remains unclear how Kirk is being distributed. It is known that Kirk disguises itself as the Low Orbital Ion Cannon, which is an open source network stress tool (or DDoS attack tool, depending on your intentions). Kirk Ransomware executable is named ‘loic_win32.exe,’ and when executed, it will generate an AES password that will be used for encryption. The AES key will then be encrypted and saved in a file called ‘pwd,’ which is saved in the same directory as ‘loic_win32.exe.’ When Kirk has finished encrypting the targeted files it finds on the local drive, it will create ‘Ransom_Note.txt’ in the same directory.