Victim or potential business partner?
That’s the question raised by the crypto-ransomware named Chimera (Ransom_CRYPCHIM.A). At first glance, it might seem like your typical crypto-ransomware. However, there are three things that make Chimera stand out.
The first is the threat of exposure: Chimera not only encrypts files, it also threatens to post them online if the ransom isn’t paid. This is the first time we’ve seen any crypto-ransomware threaten to publicly release data that they’ve encrypted in the first place.
Figure 1. The malware has two versions of the ransom note, written in German and English
This threat, of course, adds more incentive for any victim to pay the ransom. After all, encrypted files can be recovered, thanks to back up files. However, there is no clear, easy remedy to data leakage.
Our analysis reveals that despite the threat, the malware has no capability of siphoning the victim’s files to a command-and-control (C&C) server. The only information it sends to its server is the generated victim ID, Bitcoin address, and private key.
The ransom note also contains another interesting proposition for victims. At the bottom of the note, it states that users should “take advantage of [their] affiliate program,” with more details in the source code of the file. The latter is clearly a way to sift out people with technical skills.
Figure 2. Invitation to the affiliate program
Looking at the disassembled code, there actually is an address on how to contact them in case you are interested in joining them. The address is a Bitmessage address; Bitmessage is a legitimate peer-to-peer communications protocol used to send encrypted messages and mask the receiver and sender.
Figure 3. Message in the source code
Paying the Ransom
But what if the victim decides to pay the ransom?
The ransom note instructs the victims to download the Decrypter software. Once downloaded, the software first searches for the encrypted files and the ransom note to determine the generated bitcoin address for that victim.
It then displays the message below.
Figure 4. Further instructions for payment
Decrypter software also contains embedded BitMessage software. Once a payment has been confirmed, the threat actor sends a BitMessage containing the victim ID and decryption key which will be used by the Decrypter software to confirm the victim and proceed with the decryption.
Ransomware as a Service
It might seem a bit odd that malware authors or creators are opening doors to potential partners. After all, why bother sharing the profit?
Peddling ransomware as a service (or RaaS) has some advantages. RaaS lessens the possibility of the illegal activity being traced back to the creators. Selling ransomware as a service allows creators to enjoy some profit without the increased risk of detection. For Chimera, the commission is 50%, a large payoff for lesser effort.
But compared to other ransomware (e.g., CryptoWall, TeslaCrypt), we find that RaaS isn’t as sophisticated. Operations are sometimes disrupted even before they are fully deployed. Code lacks any obfuscation, leaving unique strings researchers or investigators can use to identify the threat. Some RaaS lack good C&C infrastructure or fail to take advantage of Tor2Web, relying instead on a downloadable Tor executable for communication.
Paying the Price?
Chimera’s routines, while new to the ransomware circuit, fall in line with our 2016 prediction of the rise of online extortion. We mentioned that cyber extortionists will devise new ways to target its victim’s psyche to make each attack “personal”—either for an end user or an enterprise. Reputation is everything, and threats that can ruin an individual’s or a business’ reputation will prove to be effective and—more importantly—lucrative. And obviously, posting personal files online can fall under the category of ruining a person’s reputation.
While it might seem easier to just give in to demands and pay the ransom, there’s no guarantee that the cybercriminals would even honor the deal. To make sure your files are never lost to ransomware, we urge users to regularly back up their files, following the 3-2-1 rule.
Hashes for related files: