Kirk Ransomware: Difference between revisions
Content deleted Content added
The C of E (talk | contribs) create |
m move to most specific category |
||
| (23 intermediate revisions by 14 users not shown) | |||
| Line 1: | Line 1: | ||
{{short description|Ransomware malware, discovered in 2017}} |
|||
{{Infobox computer virus |
{{Infobox computer virus |
||
| fullname = Kirk Ransomware |
| fullname = Kirk Ransomware |
||
| image = |
| image = Kirk ransomware.png |
||
| caption = |
| caption = Part of the ransom note |
||
| common_name = |
| common_name = |
||
| technical_name = |
| technical_name = |
||
| Line 11: | Line 12: | ||
| subtype = |
| subtype = |
||
| isolation_date = |
| isolation_date = |
||
| origin = |
| origin = |
||
| infection_vector = |
| infection_vector = |
||
| author = |
| author = |
||
| Line 17: | Line 18: | ||
| OS = |
| OS = |
||
| filesize = |
| filesize = |
||
| language = |
| language = [[Python (computing)|Python]]<ref name=bc/> |
||
}} |
}} |
||
'''Kirk Ransomware''', or '''Kirk''',<ref name=zis /> is a [[ransomware]] [[malware]] originated in 2017. The ransomware is installed as a [[Trojan horse (virus)|Trojan horse]] which locks the infected computer's files and demands payment in the [[Monero]] [[cryptocurrency]].<ref name=zis>{{cite book |first=Ziska |last=Fields |title= |
|||
Handbook of Research on Information and Cyber Security in the Fourth Industrial Revolution |page=105 |publisher=IGI Global |year=2018 |isbn=1522547649}}</ref> |
|||
'''Kirk Ransomware''', or '''Kirk''',<ref name=zis /> is [[malware]]. It encrypts files on an infected computer and demands payment for decryption in the [[cryptocurrency]] [[Monero (cryptocurrency)|Monero]]. The [[ransomware]] was first discovered in 2017, by [[Avast]] researcher Jakub Kroustek.<ref name=zis>{{cite book |first=Ziska |last=Fields |title=Handbook of Research on Information and Cyber Security in the Fourth Industrial Revolution |page=105 |publisher=IGI Global |year=2018 |isbn=978-1-5225-4764-8}}</ref><ref>{{cite news|url=https://www.theregister.co.uk/2017/03/17/star_trek_ransomware/ |title=Shameless crooks fling Star Trek-themed ransomware at world |publisher=The Register |date=2017-03-17 |access-date=2020-01-04}}</ref> |
|||
== Description == |
|||
When Kirk Ransomware is activated, a message box pops up purporting to start a "Low Orbital Ion Cannon" on the computer.<ref name=bc /> In the meantime, all files with common file extensions on the computer get encrypted with .kirked as an additional file extension at the end. The ransom note then pops up with an [[ASCII art]] image of Captain [[James T. Kirk]] and [[Spock]] from ''[[Star Trek: The Original Series]]'' claiming that Kirk ransomware had encrypted the computer with a demand for 50 Monero (approximately $1,100) for the "Spock decryptor".<ref>{{cite web |first=Bill |last=Bremner |url=https://nakedsecurity.sophos.com/2017/03/24/spock-will-unlock-kirk-ransomware-after-you-beam-up-a-bunch-of-monero/ |title=Spock will unlock Kirk ransomware – after you beam up a bunch of Monero |publisher=Sophos |date=2017-03-24 |accessdate=2020-01-04}}<ref>{{cite web|url=https://www.grahamcluley.com/kirk-ransomware-sports-star-trek-themed-decryptor-little-known-crypto-currency/ |title=Kirk ransomware sports Star Trek-themed decryptor and little-known crypto-currency |publisher=Grahamcluley.com |date= |accessdate=2020-01-04}}</ref> The ransomware uses ''Star Trek'' references during it's instructions as well with the quote "Logic, motherfucker" used by Spock (without the swear word) and ending the ransom demand with "[[Live long and prosper|live long and prosper]]".<ref name=bc>{{cite web|url=https://www.bleepingcomputer.com/news/security/star-trek-themed-kirk-ransomware-brings-us-monero-and-a-spock-decryptor/ |title=Star Trek Themed Kirk Ransomware Brings us Monero and a Spock Decryptor! |publisher=Bleepingcomputer.com |date=2017-03-16 |accessdate=2020-01-04}}</ref> The price doubles after 48 hours of non-payment then doubles each week that passes until after 31 days, the decryptor is deleted.<ref>{{cite web|author=Ms. Smith |url=https://www.csoonline.com/article/3182415/star-trek-themed-kirk-ransomware-has-spock-decryptor-demands-ransom-be-paid-in-monero.html |title=Star Trek-themed Kirk ransomware discovered |publisher=CSO Online |date= |accessdate=2020-01-04}}</ref> A similar style ransomware was later released called "Lick Ransomware" that behaves the same a Kirk Ransomware except the encrypted file extension is changed to .licked and the ''Star Trek'' references are removed.<ref>{{cite web|url=https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/ |title=The Week in Ransomware - March 17th 2017 - Revenge, PetrWrap, and Captain Kirk |publisher=Bleepingcomputer.com |date=2017-03-18 |accessdate=2020-01-04}}</ref> |
|||
== |
== Description == |
||
Kirk Ransomware is a [[trojan horse (computing)|trojan horse]] program that masquerades as [[Low Orbit Ion Cannon]], an application used for [[stress testing (software)|stress testing]] and [[denial-of-service attack]]s.<ref name=bc>{{cite web|url=https://www.bleepingcomputer.com/news/security/star-trek-themed-kirk-ransomware-brings-us-monero-and-a-spock-decryptor/ |title=Star Trek Themed Kirk Ransomware Brings us Monero and a Spock Decryptor! |publisher=Bleepingcomputer.com |date=2017-03-16 |access-date=2020-01-04}}</ref> Once activated, Kirk Ransomware searches the infected computer's hard drive for files with certain [[filename extension]]s, and encrypts and renames them, adding <code>.kirked</code> to the end of their filenames. When the encryption is finished, a window pops up, displaying an [[ASCII art]] image of [[James T. Kirk|Captain James T. Kirk]] and [[Spock]] from ''[[Star Trek: The Original Series]]'', and informing the user that files have been "encrypted using military grade encryption." "SPOCK TO THE RESCUE!" the ransom note continues, and demands payment in order to receive a decryptor program named Spock.<ref>{{cite web |first=Bill |last=Bremner |url=https://nakedsecurity.sophos.com/2017/03/24/spock-will-unlock-kirk-ransomware-after-you-beam-up-a-bunch-of-monero/ |title=Spock will unlock Kirk ransomware – after you beam up a bunch of Monero |publisher=Sophos |date=2017-03-24 |access-date=2020-01-04}}</ref><ref>{{cite web|url=https://www.grahamcluley.com/kirk-ransomware-sports-star-trek-themed-decryptor-little-known-crypto-currency/ |title=Kirk ransomware sports Star Trek-themed decryptor and little-known crypto-currency |publisher=Grahamcluley.com |date= 17 March 2017|access-date=2020-01-04}}</ref> The ransom demanded is initially 50 Monero (worth about $1,175 as of March 2017);<ref name=cso/> if not paid within 48 hours, the demand begins increasing, reaching 500 Monero after two weeks. If the ransom remains unpaid after 30 days, the decryption key is deleted, essentially rendering the encryption irreversible.<ref name=cso>{{cite web|author=Ms. Smith |url=https://www.csoonline.com/article/3182415/star-trek-themed-kirk-ransomware-has-spock-decryptor-demands-ransom-be-paid-in-monero.html |title=Star Trek-themed Kirk ransomware discovered |publisher=CSO Online |date= 19 March 2017|access-date=2020-01-04}}</ref> The ransom note includes a spurious quotation from Spock ("Logic, motherfucker"), and ends with "[[Vulcan salute#"Live long and prosper"|LIVE LONG AND PROSPER]]".<ref name=bc /> |
|||
Kirk Ransomware was first discovered by the [[Avast]] researcher Jakub Kroustek.<ref>{{cite news|url=https://www.theregister.co.uk/2017/03/17/star_trek_ransomware/ |title=Shameless crooks fling Star Trek-themed ransomware at world |publisher=The Register |date=2017-03-17 |accessdate=2020-01-04}}</ref> Some ransomware experts argued that in the Kirk ransomware being the first ransomware using Monero,<ref>{{cite web|url=https://www.cyberdefensemagazine.com/kirk-ransomware-a-star-trek-themed-ransomware-that-requests-monero-payments/ |title=Kirk ransomware – A Star Trek Themed Ransomware that requests Monero payments |publisher=Cyber Defense Magazine |date= |accessdate=2020-01-04}}</ref> it is an upgrade on the [[bitcoin]] cryptocurrency usually requested in ransomware demands as Monero is untraceable as it does not use a [[blockchain]].<ref name=zis /><ref>{{cite web|last=Riley |first=Duncan |url=https://siliconangle.com/2017/03/22/new-star-trek-themed-ransomware-goes-no-ransomware-gone/ |title=New Star Trek-themed attack goes where no ransomware has gone before |publisher=Silicon Angle |date=2017-03-22 |accessdate=2020-01-04}}</ref> |
|||
Kirk Ransomware is the first known ransomware to demand payment in Monero; most other ransomware has demanded [[bitcoin]]s.<ref>{{cite web|url=https://www.cyberdefensemagazine.com/kirk-ransomware-a-star-trek-themed-ransomware-that-requests-monero-payments/ |title=Kirk ransomware – A Star Trek Themed Ransomware that requests Monero payments |publisher=Cyber Defense Magazine |date= 22 March 2017|access-date=2020-01-04}}</ref> Monero has significantly greater privacy protection than bitcoin, making transactions much more difficult to trace.<ref name=zis /><ref>{{cite news |last1=Hern |first1=Alex |title=Missed the bitcoin boom? Five more baffling cryptocurrencies to blow your savings on |url=https://www.theguardian.com/technology/shortcuts/2017/dec/11/missed-bitcoin-boom-five-more-baffling-cryptocurrencies-to-blow-your-savings-on |access-date=May 7, 2020 |work=[[The Guardian]] |date=December 11, 2017}}</ref> |
|||
A variant of Kirk Ransomware, named Lick Ransomware, was also discovered; it does not contain ''Star Trek'' references.<ref>{{cite web|url=https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/ |title=The Week in Ransomware – March 17th 2017 – Revenge, PetrWrap, and Captain Kirk |publisher=Bleepingcomputer.com |date=2017-03-18 |access-date=2020-01-04}}</ref> |
|||
== References == |
== References == |
||
{{Reflist}} |
{{Reflist}} |
||
[[Category:2017 in computing]] |
|||
[[Category:Ransomware]] |
|||
[[Category:Star Trek]] |
|||
[[Category:Hacking in the 2010s]] |
|||
[[Category:Windows trojans]] |
|||
{{Hacking in the 2010s}} |
|||
Latest revision as of 03:50, 20 June 2024
| Kirk Ransomware | |
|---|---|
 | |
| Part of the ransom note | |
| Classification | Ransomware |
| Technical details | |
| Written in | Python[1] |
Kirk Ransomware, or Kirk,[2] is malware. It encrypts files on an infected computer and demands payment for decryption in the cryptocurrency Monero. The ransomware was first discovered in 2017, by Avast researcher Jakub Kroustek.[2][3]
Description
[edit]Kirk Ransomware is a trojan horse program that masquerades as Low Orbit Ion Cannon, an application used for stress testing and denial-of-service attacks.[1] Once activated, Kirk Ransomware searches the infected computer's hard drive for files with certain filename extensions, and encrypts and renames them, adding .kirked to the end of their filenames. When the encryption is finished, a window pops up, displaying an ASCII art image of Captain James T. Kirk and Spock from Star Trek: The Original Series, and informing the user that files have been "encrypted using military grade encryption." "SPOCK TO THE RESCUE!" the ransom note continues, and demands payment in order to receive a decryptor program named Spock.[4][5] The ransom demanded is initially 50 Monero (worth about $1,175 as of March 2017);[6] if not paid within 48 hours, the demand begins increasing, reaching 500 Monero after two weeks. If the ransom remains unpaid after 30 days, the decryption key is deleted, essentially rendering the encryption irreversible.[6] The ransom note includes a spurious quotation from Spock ("Logic, motherfucker"), and ends with "LIVE LONG AND PROSPER".[1]
Kirk Ransomware is the first known ransomware to demand payment in Monero; most other ransomware has demanded bitcoins.[7] Monero has significantly greater privacy protection than bitcoin, making transactions much more difficult to trace.[2][8]
A variant of Kirk Ransomware, named Lick Ransomware, was also discovered; it does not contain Star Trek references.[9]
References
[edit]- ^ a b c "Star Trek Themed Kirk Ransomware Brings us Monero and a Spock Decryptor!". Bleepingcomputer.com. 2017-03-16. Retrieved 2020-01-04.
- ^ a b c Fields, Ziska (2018). Handbook of Research on Information and Cyber Security in the Fourth Industrial Revolution. IGI Global. p. 105. ISBN 978-1-5225-4764-8.
- ^ "Shameless crooks fling Star Trek-themed ransomware at world". The Register. 2017-03-17. Retrieved 2020-01-04.
- ^ Bremner, Bill (2017-03-24). "Spock will unlock Kirk ransomware – after you beam up a bunch of Monero". Sophos. Retrieved 2020-01-04.
- ^ "Kirk ransomware sports Star Trek-themed decryptor and little-known crypto-currency". Grahamcluley.com. 17 March 2017. Retrieved 2020-01-04.
- ^ a b Ms. Smith (19 March 2017). "Star Trek-themed Kirk ransomware discovered". CSO Online. Retrieved 2020-01-04.
- ^ "Kirk ransomware – A Star Trek Themed Ransomware that requests Monero payments". Cyber Defense Magazine. 22 March 2017. Retrieved 2020-01-04.
- ^ Hern, Alex (December 11, 2017). "Missed the bitcoin boom? Five more baffling cryptocurrencies to blow your savings on". The Guardian. Retrieved May 7, 2020.
- ^ "The Week in Ransomware – March 17th 2017 – Revenge, PetrWrap, and Captain Kirk". Bleepingcomputer.com. 2017-03-18. Retrieved 2020-01-04.