Star Trek Themed Ransomware Continues its Ominous Proliferation

Posted by Geraldine Hunt on Tue, May 9th, 2017

Ransomware continues to evolve with new strains released on a continuous basis.  After last year’s intake of $1 billion dollars in ransomware, it should be assumed that every Tom, Dick and Harry of the cybercriminal world is working right now to improve its distribution in order to gain more victims while at the same time, streamlining the user experience in order to improve collection rates.

Beam Me Up Your Ransom

In a bizarre twist, a new strain of ransomware not only exploits your data, but the Star Trek theme as well.  Simply dubbed, 'Kirk Ransomware', it announces its presence on your screen with an image of Captain Kirk of the Starship Enterprise who informs you that your data has been encrypted as well as details of the required ransom.  As a ‘playful’ gesture, all of the encrypted files are renamed with a “kirk” file extension. Victims who pay are then directed to the image of Mr. Spock who then provides instructions on how to recover your data using a “Spock Decryptor” that is sent once payment is received.  The malware disguises as the Low Orbit Ion Cannon (LOIC) denial of service tool that is commonly used for stress testing. 

Monero cryptocurrency requested not Bitcoin

The embedded code is very efficient and is obviously the creation of a team of skilled programmers.  Besides the incorporation of a creative twist within this new malware threat, its creators have strayed away from the usual protocol of Bitcoin as a payment currency and instead require the use of Monero.  This cryptocurrency exponentially grew by 27-fold in 2016 and is beginning to establish itself as a viable alternative to the default cryptocurrency leader.  Its growing popularity amongst the dark web black market is due to its increased steal ability which makes it more private and elusive.

Has Bitcoin become too mainstream for scammers?

It is these factors that make Monero the first choice amongst sinister characters such as drug and gun dealers on the dark web.  Perhaps the developers of Kirk believe that Bitcoin has become too mainstream, especially with the interest of public investors who are looking at Bitcoin as a financial venture.  In the short term, ransomware developers run the risk of users becoming even more confused concerning the process of actually how to pay the ransom with multiple cryptocurrencies being utilized.  Kirk developers are currently demanding a ransom of 50 Monero at the outset of the attack which is roughly $1,072 (£867).  The fee increases as time goes on until upon the 31st day of the infection, the decryption key is permanently deleted as stated in the ransom note.

Granular Targeting of Ransomware through Customization

Ransomware has been characterized as a passive attack in the past, meaning that a user happened to stumble across an embedded email link or made an unfortunate visitation to a drive-by site and was infected.  Unfortunately, ransomware is getting a whole lot smarter.  Developers are now designing ransomware to purposely target prescribed destinations be it industries or folder directories.

Philadelphia ransomware kit

For instance, a new strain of the Philadelphia ransomware kit that is sold on the Internet for a few hundred bucks to anyone who can afford it (and brave enough to install it) is specifically designed to target healthcare organizations.  This should be no surprise as healthcare organizations have become the #1 target of ransomware attacks ever since the much publicized attack on Hollywood Presbyterian Hospital early last year.

In this instance, the malware is distributed through a spear-phishing attack that is intentionally directed at hospitals.  The message contains a URL that points to a DOCX file that contains the logo of the targeted organization, a signature of a medical practitioner from that organization as well as three document icons that pertain to patient information.  Once any of the icons are clicked, the attack is launched and the ransomware variant begins its dastardly deed.  This ability to customize the look of the “bait” vastly increases the likelihood of someone being lured in.  Thus far, two hospitals on the northwest coast of the United States have fallen victim. 

Tailoring ransomware attacks to specified file extensions

Customization isn’t just allowing hackers to purposely target select industries.  Through customized fields, ransomware builders give their distribution customers the ability to tailor their attacks to specified file extensions, folder directories and even computer names.  Someone who has done their homework on a select company can create a fully customized attack.

Be it the ability to integrate iconic TV characters into ransomware or to create multiple customized adaptations, it is obvious that ransomware builders have ample time to innovate and development new strains.  It is also evident that ransomware development has entered a new stage, perhaps ransomware 2.0.  The concern is that ransomware delivery strategies will outpace the strategies that prevent it.

Thankfully so far recorded infection and exposure rates to the Kirk ransomware are low. Saying that, 2017 looks to be another dark year for network security thanks to the escalating rate at which new ransomware variants are coming to market. Ransomware is the fastest growing malware threat today. Security must be inherent and pervasive across the organisation, that includes the  entire network, the data center, on end points and in the cloud. Lean on your security vendors and leverage their in depth experience in order to increase your organisations security posture.

If you're an IT Pro with questions about ransomware or other dangerous malware threats. If you're an IT Pro with questions about ransomware or other dangerous malware threats. Talk to a specialist or Email us at info@titanhq.com with any questions.