Star Trek Themed Kirk Ransomware - Webroot analysis
March 2017 by Webroot
There’s a new piece of ransomware called Kirk that’s been discovered by an Avast malware researcher and is thought to be the first ransomware to utilize Monero as the ransom payment of choice. Monero is an alternative cyptocurrency to BitCoin and believe to offer greater anonymity. The decryptor "Spock" will be supplied to the victim once the payment is made, but at this time the ransomware does not look like it can be decrypted.
Eric Klonowski, Reverse Engineer at Webroot at taken the malware apart and below are some insights from him.
The newly surfaced Kirk ransomware disguises itself as the popular Low Orbit Ion Cannon, an internet activist denial of service tool. The malware is written in python and packaged up in a 5.5 Mb python to exe dropper that is distributed with a 4096 bit RSA public key. No crafty detection evasion is employed. It generates a single AES key for use in encrypting all files, which is encrypted with the public key and written to disk. Files are encrypted with AES in CBC mode, are prepended with the file size and IV in plaintext, and are padded out to 16 bytes with spaces. The malware relies on the common PyCrypto libraries for all encryption. The ransom letter demands payment via the Monero blockchain crypto currency, a rising standard amongst small-time ransomware operations. The Kirk malware demonstrates that ransomware crypto can be effectively implemented in a few lines of code with relatively few weaknesses.