Kirk Ransomware Removal Guide

Do you know what Kirk Ransomware is?

Malware analysts have recently discovered a new interesting malicious application called Kirk Ransomware. Although it has been classified as ransomware, it differs from similar ransomware-type infections in several aspects. First of all, specialists have not seen a ransomware infection using a Star Trek franchise theme before. Second, this threat is developed in the Python programming language. Third, although it enters computers with the intention of obtaining money from users and demands a ransom, the ransom needs to be sent in the Monero digital currency, which is a new thing among ransomware infections. Last but not least, after the encryption of users’ personal files, Kirk Ransomware stores the unique RSA key on a victim’s Desktop in a file pwd. Evidently, it is quite a sophisticated malicious application, but, since it does not block system utilities, create new registry keys in the System Registry or copy its executable file to several different places, it should not be that hard to erase it. Even if you face difficulties, make sure you erase Kirk Ransomware fully because its presence might lead to the emergence of serious problems.

Users usually get Kirk Ransomware from untrustworthy third-party pages, e.g. file-sharing or torrent websites. On top of that, it can be spread as an attachment in spam emails. We cannot blame users for allowing this threat to enter their PCs because this ransomware infection pretends to be Low Orbit Ion Cannon (LOIC), which is an open-source network stress testing application. The fake program installer usually comes having this name loic_win32.exe, but, of course, this file might be named differently too. Once a user downloads and executes it, a small message box “Low Orbital Ion Cannon| When harpoons, air strikes and nukes fail” shows up. It informs that “The LOIC is initializing for your system” and “This may take some time.” If users click OK, Kirk Ransomware starts scanning the C: drive. At this particular moment, it is looking for files to encrypt. At present, it locks 625 file types, so users discover almost all their files stored on the computer encrypted after the entrance of this ransomware infection. All these locked files receive a new filename extension .kirked next to the original extension, e.g. document.doc.kirked. When all the files are encrypted and receive a new filename extension, a new window having a black background is opened by ransomware and RANSOM_NOTE.txt is dropped on the computer. It becomes clear after reading any these files that Kirk Ransomware, just like other ransomware infections, wants users’ money. Our team of experts is against sending money to cyber criminals even if it means that files will be lost forever.Kirk Ransomware Removal GuideKirk Ransomware screenshot
Scroll down for full removal instructions

As becomes clear after reading any of the ransom notes left by this ransomware infection, the only way to get files back is to send money to cyber criminals. The ransom size depends on how quickly a user pays it. For example, if the payment is made after 3-7 days, the size of the ransom is 100 Monero, whereas it will reach 500 Monero if it is paid later (after 15-30 days). 1 Monero equals ~$21, so make the calculation yourself. Actually, it is not enough to make a payment. Users are also asked to send the pwd file (ransomware should create it on Desktop) and the payment transaction ID to kirk.help@scryptmail.com or kirk.payments@scryptmail.com. Cyber criminals promise to send users the “decrypted password file” and the decryption program “Spock” after receiving the payment and the information they need. You are the one who can decide whether or not to transfer money to them, but you should know that there are no guarantees that you will receive the key for unlocking files after making a payment.

Users who decide not to buy the decryption key from cyber criminals should go to fully erase Kirk Ransomware. First of all, they need to kill the process of this infection in the Task Manager and, second, they need to erase all its files one by one. The deletion of ransomware can be performed in an automatic way too. Unfortunately, those encrypted files will not be unlocked even though you fully delete Kirk Ransomware.

Delete Kirk Ransomware manually

  1. Press Ctrl+Shift+Esc and then click on the Processes tab.
  2. Locate the process Kirk, right-click on it, and select End Process.
  3. Delete pwd and RANSOM_NOTE.txt files (they should be placed on Desktop).
  4. Find the malicious recently downloaded file (e.g. loic_win32.exe). Check %USERPROFILE%\Downloads first.
  5. Delete it.
  6. Empty the Trash bin.

In non-techie terms:

Ransomware infections can enter computers together with other untrustworthy applications. Also, in some cases, malicious software actively working on users’ computers without their consent helps ransomware to enter systems unnoticed. Therefore, it would be smart to perform the full system scan with an automatic scanner, such as SpyHunter, to find out whether or not other threats are inside the system. You could use the same antimalware tool to remove those infections, if they are detected, too.