Come to the dark side. Chimera ransomware asks victims to become affiliates

Chimera
Researchers have observed that the Chimera ransomware offers victims the option of joining its affiliate program upon infection.

Chimera first made headlines in the beginning of November when the Anti-Botnet Advisory Centre, observed a new type of ransomware to be targeting small and medium-sized German businesses via fake job applications and business offers.

"Several variants of sender addresses try to target specific employees within a company and they have one thing in common: within the email, a link points to a source at Dropbox, claiming that additional information has been stored there," the centre explained. "The users get asked to download these files from there."

Once the link has been clicked, the trojan immediately begins to encrypt all files stored on the local drive and connected network drives, and changes all file extensions to ".crypt". It has since been revealed that the ransomware employs BitMessage, a peer-to-peer messaging system, to generate a code key for its encryption purposes.

Fabian Wosar, a developer for security-software firm Emisoft, told eWEEK that this strategic choice makes it difficult for investigators to locate the servers used to manage Chimera:

"It makes it a lot more difficult to shut the entire operation down, as it is not as simple as finding and closing down the malware author’s server. The actual payments are done using Bitcoin, so tracking the payments is not more or less difficult than with most other ransomware these days."

After all of the files have been encrypted, Chimera displays a warning message on the machine's desktop upon reboot. This message demands that the user pay £630 (about $951 USD) in Bitcoin or risk having the attackers publish their information online.

Chimera screenshot

Though a scary thought, no evidence has been found thus far of Chimera's ability to publish any files that it has encrypted:

"They encrypt the data files but do not transmit any details about these files or the files themselves anywhere during the encryption process. The encryption part of the malware also deletes itself after running, so there is nothing left to transmit them later," Lawrence Abrams of Bleeping Computer relayed to Threatpost. "The decrypter that they have you download does sit there running while it waits for the decryption key to be sent to it, but we have the source code for it and it does not send data files anywhere."

However, Chimera differentiates itself from other ransomware by presenting victims who don't want to pay with an interesting proposition. A note at the bottom of the warning message invites users to "take advantage of [its] affiliate program" and directs them to learn more by exploring the ransomware's source file - a means to sift out technical talent.

Chimera

Sure enough, there is a BitMessage address located in the code that a user can use to contact Chimera's operators if they are interested in joining up.

Chimera code

Take advantage of our affiliate-program!
We offer you 50% of our profits.

As explained in a blog post by security firm Trend Micro, ransomware as a service does have its advantages in that it can allow both the malware's creators and affiliates to profit with a reduced chance of the ransomware's servers being discovered by law enforcement.

Even so, compared to other ransomware such as CryptoWall, Trend Micro's researchers note that things can get sloppy to the extent that samples might lack obfuscation or good C&C infrastructure.

The good news is that Chimera might all ready be out of commission. SC Magazine reports that both Abrams and Wosar observed in late November that the ransomware is no longer generating keys via BitMessage, which could suggest that Chimera is inactive if not dead.

The bad news is that Chimera is just part of a growing trend of RaaS and that future ransomware variants could also ask tech-savvy users to join up. For those who might be interested in becoming an RaaS affiliate, just don't. Your skills will be much better applied if you join "the good fight" and help to create decryption tools for Chimera and other forms of ransomware.

Ordinary users can protect themselves by maintaining regular backups of their data and by never clicking on suspicious links within an email.

flickr photo shared by john weiss under a Creative Commons ( BY-NC-ND ) license

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

5 Responses

  1. coyote

    December 3, 2015 at 6:48 pm #

    'For those who might be interested in becoming an RaaS affiliate, just don't. Your skills will be much better applied if you join "the good fight" and help to create decryption tools for Chimera and other forms of ransomware.'

    … and whilst you might make a larger short term profit working with them… when you are caught – which will happen eventually if you keep at it (and don't forget cold cases do thaw) – you will have other consequences to consider. There is also this: what if you inadvertently affect friends or relatives? Or someone else you care about? What if they actually have something you want (or need) and now they can't (or refuse to) help you? I think the latter is far more important but maybe that's because honour, ethics and morals means very much to me (and don’t forget either that you reap what you sow).

  2. Darkpawn

    December 4, 2015 at 8:04 pm #

    Interesting article. But can they be trusted to pay up when the time comes?

  3. David Payne

    December 5, 2015 at 9:34 am #

    Maybe it's out of commission because they recruited a cyber-vigilante! BWAHAHAHAHAHA!

    • David Payne in reply to David Payne.

      December 5, 2015 at 9:59 am #

      Or maybe Chimera are cyber-vigilantes, luring those of high skills but low morals and then turning them into stone gargoyles. Of course, that's the most likely explanation!

  4. David Payne

    December 5, 2015 at 9:46 am #

    Unless the original filenames AND extensions were recorded I don't see how the original extensions can be restored!

    The decrypter for the blackmailer of Germans is stored on a server with a New Zealand domain-named URL. Someone upset about wars in previous centuries perhaps?
    Thts choice eh bro!

Leave a Reply