Star Trek Ransomware Demands Monero Payments

Written by

Security researchers have discovered a new Star Trek-themed ransomware variant requesting the use of crypto-currency platform Monero for payment.

Flagged on Twitter by Avast reverse engineer, Jakub Kroustek, the Python-based ransomware has no reported victims thus far, according to Bleeping Computer.

However, given that there’s apparently no known way to decrypt it at present, it probably won’t be long before this changes.

It masquerades as the popular stress testing app Low Orbital Ion Cannon, targeting over 600 file types with RSA 4096-bit encryption.

Affected files will be renamed with the “.kirked” suffix.

“No crafty detection evasion is employed. It generates a single AES key for use in encrypting all files, which is encrypted with the public key and written to disk,” explained Webroot reverse engineer, Eric Klonowski.

“Files are encrypted with AES in CBC mode, are prepended with the file size and IV in plaintext, and are padded out to 16 bytes with spaces. The malware relies on the common PyCrypto libraries for all encryption.”

Interestingly it’s one of the first documented ransomware types to demand payment in Monero – of around $1000 – rather than the more popular Bitcoin.

On payment, the ransomware authors promise to send an appropriately named “Spock” decryptor.

“The Kirk malware demonstrates that ransomware crypto can be effectively implemented in a few lines of code with relatively few weaknesses,” explained Klonowski.

The discovery is yet another sign of the growing diversity of ransomware variants and proof that the malware is still popular among the black hat community as a way to make a quick buck.

However, according to a recent 2017 predictions report from Trend Micro, this year will likely see more cyber-criminals turn to Business Email Compromise and other techniques in a bid to generate greater profits from their endeavors.

What’s hot on Infosecurity Magazine?