- Jan 24, 2011
- 9,379
Victim or potential business partner?
That’s the question raised by the crypto-ransomware named Chimera (Ransom_CRYPCHIM.A). At first glance, it might seem like your typical crypto-ransomware. However, there are three things that make Chimera stand out.
Online Extortion
The first is the threat of exposure: Chimera not only encrypts files, it also threatens to post them online if the ransom isn’t paid. This is the first time we’ve seen any crypto-ransomware threaten to publicly release data that they’ve encrypted in the first place.
Figure 1. The malware has two versions of the ransom note, written in German and English
This threat, of course, adds more incentive for any victim to pay the ransom. After all, encrypted files can be recovered, thanks to back up files. However, there is no clear, easy remedy to data leakage.
Our analysis reveals that despite the threat, the malware has no capability of siphoning the victim’s files to a command-and-control (C&C) server. The only information it sends to its server is the generated victim ID, Bitcoin address, and private key.
Affiliate Program
The ransom note also contains another interesting proposition for victims. At the bottom of the note, it states that users should “take advantage of [their] affiliate program,” with more details in the source code of the file. The latter is clearly a way to sift out people with technical skills.
Figure 2. Invitation to the affiliate program
Looking at the disassembled code, there actually is an address on how to contact them in case you are interested in joining them. The address is a Bitmessage address; Bitmessage is a legitimate peer-to-peer communications protocol used to send encrypted messages and mask the receiver and sender.
Read more: Chimera Crypto-Ransomware Wants You (As the New Recruit) | Security Intelligence Blog | Trend Micro
That’s the question raised by the crypto-ransomware named Chimera (Ransom_CRYPCHIM.A). At first glance, it might seem like your typical crypto-ransomware. However, there are three things that make Chimera stand out.
Online Extortion
The first is the threat of exposure: Chimera not only encrypts files, it also threatens to post them online if the ransom isn’t paid. This is the first time we’ve seen any crypto-ransomware threaten to publicly release data that they’ve encrypted in the first place.
Figure 1. The malware has two versions of the ransom note, written in German and English
This threat, of course, adds more incentive for any victim to pay the ransom. After all, encrypted files can be recovered, thanks to back up files. However, there is no clear, easy remedy to data leakage.
Our analysis reveals that despite the threat, the malware has no capability of siphoning the victim’s files to a command-and-control (C&C) server. The only information it sends to its server is the generated victim ID, Bitcoin address, and private key.
Affiliate Program
The ransom note also contains another interesting proposition for victims. At the bottom of the note, it states that users should “take advantage of [their] affiliate program,” with more details in the source code of the file. The latter is clearly a way to sift out people with technical skills.
Figure 2. Invitation to the affiliate program
Looking at the disassembled code, there actually is an address on how to contact them in case you are interested in joining them. The address is a Bitmessage address; Bitmessage is a legitimate peer-to-peer communications protocol used to send encrypted messages and mask the receiver and sender.
Read more: Chimera Crypto-Ransomware Wants You (As the New Recruit) | Security Intelligence Blog | Trend Micro
