Kirk Ransomware targets Windows OS and its distribution method is currently unknown. The ransomware’s executable file, named loic_win32.exe, masquerades as the open-source denial-of-service (DoS) application, Low Orbit Ion Cannon. When launched, Kirk searches for 625 file types, encrypts them using an AES key and then encrypts that key using an embedded RSA-4096 public key, which it then saves in a file named pwd, located in the same directory as the Kirk’s executable file. It appends .kirked to the encrypted file names and drops a ransom note named RANSOM_NOTE.txt. It demands a ransom payment of $1,100 worth of the Monero cryptocurrency. If the payment is made, the victims will receive the “Spock” decryptor to decrypt their files. Another version masquerading as a ransomware decryptor, dubbed “Lick Ransomware,” appends .Licked to encrypted file names.
- Bleeping Computer provides more information about Kirk Ransomware here.
- The NJCCIC is not currently aware of any free decryption tools available for Kirk Ransomware.