Ransomware with a Star Trek theme has been found in cyberspace. But the criminal Enterprise is leaving potential Trekkie ransomware victims’ files secure in the shadows.
“This is no Borg and it’s not even up to Klingon badness – at least in this specific reiteration,” says malware researcher Moritz Kroll with the Avira Protection Services. “This may be just a preliminary ‘test’ variant.”
Do not despair!
Infected users should not immediately despair. Instead, they should try to recover their files from the shadow copy provided by Windows, as the shadow copy is not deleted by the ransomware as most other ransomware variants do, points out Moritz.
However, this ransomware is not moving ahead at warp speed. In fact, Moritz is not convinced that this ransomware is part of a general campaign or even a targeted distribution. “So far, we have only seen two users requesting information about this file in our cloud, and they may just have been other researchers,” he explains. “This may be a ‘test’ version, which was found by security researchers even before it was actually meant to be released into the world.”
Two technical details of the Trekkie ransomware
Apart from the Trekkie branding, this ransomware stands out for two technical details. First, it is written in the Python programming language which is not that commonly used for malware. Secondly, it wants a ransom payment made in Monero, a relatively unknown crypto-currency instead of the more known Bitcoin. Victims are hit with a time-sensitive demand that starts at 50 Monero (107 Euro) and ratchets up to 500 Monero after two weeks. After a month, the bad guys threaten that they will delete the needed decryption key, leaving victims without recourse for recovering their files.
As reported in Bleeping Computer, the Trekkie ransomware positions itself as the network stress tool called Low Orbital Ion Cannon – which also sounds a bit sci-fi. The executable file named loic_win32.exe generates an AES password that is used to encrypt a victim’s files. This AES key is then encrypted by an embedded RSA-4096 public encryption key and saved in the file called pwd. It is important not to delete this pwd file as this contains the key.
“You can find some ‘good advice’ from “Kirk” in the message box for really curious users,” adds Moritz. “‘We recommend that you do NOT run this again’.” How sweet, ransomware writers with a sense of (black) humor.
As a likely test variant, there will probably be additional renditions of this Trekkie ransomware in the future – but it’s just not clear what their choice delivery vehicles will be. The standard precautions still apply: Keep your AV active, update your software, have a backup system in place, and don’t click on suspicious links.