• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Chimera Crypto-Ransomware Wants You (As the New Recruit)

Chimera Crypto-Ransomware Wants You (As the New Recruit)

  • Posted on:December 3, 2015 at 12:57 am
  • Posted in:Malware, Ransomware
  • Author:
    Anthony Joe Melgarejo (Threat Response Engineer)
2

Victim or potential business partner?

That’s the question raised by the crypto-ransomware named Chimera (Ransom_CRYPCHIM.A). At first glance, it might seem like your typical crypto-ransomware. However, there are three things that make Chimera stand out.

Online Extortion

The first is the threat of exposure: Chimera not only encrypts files, it also threatens to post them online if the ransom isn’t paid.  This is the first time we’ve seen any crypto-ransomware threaten to publicly release data that they’ve encrypted in the first place.


Figure 1. The malware has two versions of the ransom note, written in German and English

This threat, of course, adds more incentive for any victim to pay the ransom. After all, encrypted files can be recovered, thanks to back up files. However, there is no clear, easy remedy to data leakage.

Our analysis reveals that despite the threat, the malware has no capability of siphoning the victim’s files to a command-and-control (C&C) server. The only information it sends to its server is the generated victim ID, Bitcoin address, and private key.

Affiliate Program

The ransom note also contains another interesting proposition for victims. At the bottom of the note, it states that users should “take advantage of [their] affiliate program,” with more details in the source code of the file.  The latter is clearly a way to sift out people with technical skills.


Figure 2. Invitation to the affiliate program

Looking at the disassembled code, there actually is an address on how to contact them in case you are interested in joining them. The address is a Bitmessage address; Bitmessage is a legitimate peer-to-peer communications protocol used to send encrypted messages and mask the receiver and sender.


Figure 3. Message in the source code

Paying the Ransom

But what if the victim decides to pay the ransom?

The ransom note instructs the victims to download the Decrypter software. Once downloaded, the software first searches for the encrypted files and the ransom note to determine the generated bitcoin address for that victim.

It then displays the message below.


Figure 4. Further instructions for payment

Decrypter software also contains embedded BitMessage software. Once a payment has been confirmed, the threat actor sends a BitMessage containing the victim ID and decryption key which will be used by the Decrypter software to confirm the victim and proceed with the decryption.

Ransomware as a Service

It might seem a bit odd that malware authors or creators are opening doors to potential partners. After all, why bother sharing the profit?

Peddling ransomware as a service (or RaaS) has some advantages. RaaS lessens the possibility of the illegal activity being traced back to the creators. Selling ransomware as a service allows creators to enjoy some profit without the increased risk of detection. For Chimera, the commission is 50%, a large payoff for lesser effort.

But compared to other ransomware (e.g., CryptoWall, TeslaCrypt), we find that RaaS isn’t as sophisticated. Operations are sometimes disrupted even before they are fully deployed. Code lacks any obfuscation, leaving unique strings researchers or investigators can use to identify the threat. Some RaaS lack good C&C infrastructure or fail to take advantage of Tor2Web, relying instead on a downloadable Tor executable for communication.

Paying the Price?

Chimera’s routines, while new to the ransomware circuit, fall in line with our 2016 prediction of the rise of online extortion. We mentioned that cyber extortionists will devise new ways to target its victim’s psyche to make each attack “personal”—either for an end user or an enterprise. Reputation is everything, and threats that can ruin an individual’s or a business’ reputation will prove to be effective and—more importantly—lucrative. And obviously, posting personal files online can fall under the category of ruining a person’s reputation.

While it might seem easier to just give in to demands and pay the ransom, there’s no guarantee that the cybercriminals would even honor the deal. To make sure your files are never lost to ransomware, we urge users to regularly back up their files, following the 3-2-1 rule.

Hashes for related files:

  • 806a8b0edee835c0ff1bb566a3cb92586354fec9
  • 8b91f3c4f721cb04cc4974fc91056f397ae78faa
  • a039ae3f86f31a569966a94ad45dbe7e87f118ad
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: chimeracrypto-ransomwareMalwareonline extortionransomware

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Monero Miner-Malware Uses RADMIN, MIMIKATZ to Infect, Propagate via Vulnerability
  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Windows App Runs on Mac, Downloads Info Stealer and Adware
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners

Popular Posts

  • Going In-depth with Emotet: Multilayer Operating Mechanisms
  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.