Kirk Ransomware

Kirk Ransomware Description

The Kirk Ransomware is a ransomware Trojan that is themed around Star Trek. PC security researchers first received reports of the Kirk Ransomware attack on March 16, 2017. The Kirk Ransomware is being spread to computers that execute the Windows operating system through the use of spam email messages. These emails contain corrupted text attachments that include corrupted macro scripts that allow the installation of the Kirk Ransomware on the victim's computer. In its data, the Kirk Ransomware includes the 'Spock Decryptor,' which allows the Kirk Ransomware to carry out its attack without needing the victim to be connected to the Internet. The Kirk Ransomware uses a combination of the AES and RSA encryptions to ensure that the victim's files are fully encrypted and not recoverable without access to the decryption key.

The Similarities of the Kirk Ransomware and the Karma Ransomware

The Kirk Ransomware shares numerous things in common with the Karma Ransomware, although it is clear that the Kirk Ransomware is a standalone infection and does not seem to belong to any specific ransomware family. The Kirk Ransomware encrypts more than 900 different files types during its attack. The files encrypted by the Kirk Ransomware will be identified by the extension '.kirked,' which is added to the end of each affected file's name. The files that have been encrypted by the Kirk Ransomware become inaccessible completely until the victim pays a ransom in exchange for the decryption key. Malware analysts strongly advise against paying this ransom.

How the Kirk Ransomware Ransom Process Works

The Kirk Ransomware is written in Python and demands payment using the Monero digital currency, unlike most ransomware Trojans that demand payment using BitCoins. The Kirk Ransomware's ransom note is delivered in a text note named 'RANSOM_NOTE.txt' that is dropped on the infected computer's Desktop. Currently, the Kirk Ransomware demands the payment of 50 Monero, which is near $1200 USD at the current exchange rate. The Kirk Ransomware's ransom note is quite long and contains several pictures created using ASCII characters. Below is a fragment of the Kirk Ransomware's ransom note:

'Oh no! The Kirk Ransomware has encrypted your files!
Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked
up so they don't work. This may have broken some software, including games, office suites etc.
Here's a list of some the file extensions that were targetted:
.3g2 .rar .jar .cgi .class .jtd .potx .xex .dds
.3gp .jpg .csv .pl .cd .jtt .potm .tiger .ff
.asf .jpeg .psd .com .java .hwp .sda .lbf .yrp
.asx .png .wav .wsf .swift .602 .sdd .cab .pck
.avi .tiff .ogg .bmp .vb .pdb .sdp .rx3 .t3
.flv .zip .wma .bmp .ods .psw .cgm .epk .ltx
.ai .7z .aif .gif .xlr .xlw .wotreplay.vol .uasset
.m2ts .dif.z .mpa .tif .xls .xlt .rofl .asset .bikey
.mkv .exe .wpl .tiff .xlsx .xlsm .pak .forge .patch
.mov .tar.gz .arj .htm .dot .xltx .big .lng .upk
.mp4 .tar .deb .js .docm .xltm .bik .sii .uax
.mpg .mp3 .pkg .jsp .dotx .xlsb .xtbl .litemod .mdl
.mpeg .sh .db .php .dotm .wk1 .unity3d .vef .lvl
mpeg4 .c .dbf .xhtml .wpd .wks .capx .dat .qst
.rm .cpp .sav .cfm .wps .123 .ttarch .papa .ddv
.swf .h .xml .rss .rtf .sdc .iwi .psark .pta
.vob .mov .html .key .sdw .slk .rgss3a .ydk
.wmv .gif .aiml .odp .sgl .pxl .gblorb .mpq
.doc .txt .apk .pps .vor .wb2 .xwm .wtf
.docx .py .bat .ppt .uot .pot .j2e .bsa
.pdf .pyc .bin .pptx .uof .pptm .mpk .re4
There are an additional 441 file extensions that are targetted. They are mostly to do with games.
To get your files back, you need to pay. Now. Payments recieved more than 48 hours after the time of
infection will be charged double. Further time penalties are listed below. The time of infection has
been logged.
Any files with the extensions listed above will now have the extra extension '.kirked', these files
are encrypted using military grade encryption.
In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.
You will also find a file named 'pwd' - this is your encrypted password file. Although it was
generated by your computer, you have no way of ever decrypting it. This is due to the security
of both the way it was generated and the way it was encrypted. Your files were encrypted using
this password.'

Dealing with the Kirk Ransomware

The best way to deal with the Kirk Ransomware is to have backup copies of all files. This is the best protection against ransomware since it removes the con artists' power to demand ransom payments from the victim. Apart from having file backups, PC security researchers strongly recommend the use of a reliable security program that is fully up-to-date.

Infected with Kirk Ransomware? Scan Your PC

Download SpyHunter's Spyware Scanner
to Detect Kirk Ransomware
* SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

File System Details

Kirk Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 file.exe 5,756,255 78117f7acc8b385e9b29fe711436d16d 4

Site Disclaimer

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 6 + 14 ?