Chimera ransomware seems to have disappeared as suddenly as it had appeared. During last week, researchers from Bleeping Computer recorded termination of new demanding operation which have already alarmed some members of the IB community.
Chimera locker was mostly distributed in Germany and it has unusual feature, in case victim refuses to pay ransom, ransomware threatens to publish victim’s personal files online, however, the researchers saying that it is not capable to perform such action. “It encrypts data files, but it will not transfer any files, nor their data during the encryption process” – said Lawrence Abrams from Bleeping Computer. Moreover, ransomware deletes itself after execution, without leaving any data that could be transferred later. Descrambler, downloaded by victim, remains active in anticipation of the key for decryption, but the analysis of the source code shows that it is unable to send any files anywhere.
From the words of Abrams, the new ransomware also dragged attention of Fabian Wosar from Emsisoft. Abrams’ colleague believes that the activities of Chimera in Germany brought him so much attention and to avoid troubles, the developers of this ransomware decided to stop their activity. Whatever it was, it is expected that the Chimera’s experience will find its followers.
According to Abrams, particular interest in this regard is an unusual use of P2P protocol Bitmessage. Chimera uses it to exchange between extortionists and victims, as well as for payment transactions. Bitmessage works similarly to Bitcoin: it supports decentralization and provides encryption of messages to all subscribers. Only those users who have the private key (in this case, the developers of Chimera) can read the messages.
“As long as virus developers have an access to computer, they can read messages in Bitmessage, collect new keys and send the decryption key” – says Abrams. All of the Bitmessage messages are stored and available for peers for two days, which provides a cyber criminals freedom of movement while maintaining access to the messages delivered during that period. Since many peers using TOR, VPN, I2P and also can forward messages, it is impossible to identify the real source.
Chimera Ransomware appeared in Germany in September 2015, it was distributed through targeted email-mailings addressed to corporate users. In early November, botnet fighters from Botfrei Company, posted in their blog a warning about new ransomware software. There observed that the malicious emails disguised as a business propositions or a messages from a candidate for employment and containing links to the infected Dropbox page. Once victim downloads and executes Chimera, it encrypts all of user’s files stored on local and network drives and demands a ransom of 630 Euros in Bitcoins. In case of non-payment, extortionists threaten to publish user’s personal information and photos online.
For more detailed information about Chimera Ransomware and how to get rid of it please read this article: http://removalbits.com/how-to-remove-chimera-ransomware-from-your-computer-removal-guide/ .