Chimera Ransomware- A Demonstration

cruelsister

Level 36
Content Creator
Verified
Joined
Apr 13, 2013
Messages
2,577
#4
It was initially discovered in Germany (the original ransom message was in German) at the very end of October.

As the malware began appearing in the USA in late November an English translation was added (at 1:17 of the video look to the upper right of the Ransom screen- you have an option of choosing the message to be displayed in either German or English); also USA servers to download the "decrypter" were added- the server used in the video was from New York). They seemingly are still modifying the original ransomware as a number of different variants are popping up including a new one that is VM aware (by using the GetTickCount win32 API).
 

done

Level 5
Verified
Joined
Mar 19, 2015
Messages
216
#6
I'm working on windows 7 pro that was caught by a ransomeware. the system had eset smart security on it. I ran scans with eset boot cd and msert.exe but non of them detecting it. I had to remove it manually by renaming the file and deleting the tasks.

the problem is that all the file were encrypted with no way to restore it. It even encrypt all the files on system restore
anyone have an idea how to get these files back.

thanks
 
Likes: Der.Reisende
Joined
May 11, 2014
Messages
1,622
OS
Windows 10
Antivirus
Sophos
#7
So VM aware what does that mean, it will not run, or trash the system? I've read that you can either pay, or if you are an IT expert join their program. Such lovely people.

Cruelsister, you have mentioned on many occasions that virtualization is the way forward, is that also for home users - I've been looking at FireEye Endpoint Security, is that any good?
 
Last edited:

cruelsister

Level 36
Content Creator
Verified
Joined
Apr 13, 2013
Messages
2,577
#8
Tony- There is a misconception regarding VM aware malware, in that many think that it will break out of containment. This isn't the case at all- the malware instead will query the environment that it is running in, and if it is determined that it's in a VM it will just shut down. It does this in order to make the user think it is harmless so that he (and certainly not a "she"!) will then run it on a real system and get infected.

Malware can use numerous methods to detect VM's- from simple things like looking for running processes of stuff like Vbox or VMware to things like a Chimera variant did: it measures the time lapse (via GetTickCount) between a series of actions and if they are slower than expected (as VM's are less powerful than actual machines) it will terminate.

About FireEye- it is certainly extremely good but as it works through an appliance and one must pay for multiple seats it really is a Corporation only product (and quite expensive). For Home users Comodo is in my opinion the best choice as with the proper settings it will just "Do" and not "Ask". Make no mistake- Comodo can also be breached- but only with extreme difficulty and under certain circumstances. AV products are a great deal easier to bypass.


Done- Some Encryptors are poorly coded and actually store the encryption key on your computer where it can be fished out; but these are rare and you would have to know exactly what your infection was. But generally if you had System Restore turned off and don't have any external backups your files are lost. I'm really sorry.
 

done

Level 5
Verified
Joined
Mar 19, 2015
Messages
216
#9
Tony- There is a misconception regarding VM aware malware, in that many think that it will break out of containment. This isn't the case at all- the malware instead will query the environment that it is running in, and if it is determined that it's in a VM it will just shut down. It does this in order to make the user think it is harmless so that he (and certainly not a "she"!) will then run it on a real system and get infected.

Malware can use numerous methods to detect VM's- from simple things like looking for running processes of stuff like Vbox or VMware to things like a Chimera variant did: it measures the time lapse (via GetTickCount) between a series of actions and if they are slower than expected (as VM's are less powerful than actual machines) it will terminate.

About FireEye- it is certainly extremely good but as it works through an appliance and one must pay for multiple seats it really is a Corporation only product (and quite expensive). For Home users Comodo is in my opinion the best choice as with the proper settings it will just "Do" and not "Ask". Make no mistake- Comodo can also be breached- but only with extreme difficulty and under certain circumstances. AV products are a great deal easier to bypass.


Done- Some Encryptors are poorly coded and actually store the encryption key on your computer where it can be fished out; but these are rare and you would have to know exactly what your infection was. But generally if you had System Restore turned off and don't have any external backups your files are lost. I'm really sorry.
Thanks for your answer and help
It is a customer machine that I'm trying to recover. system restore was not turned off but the virus encrypted all the previous versions as well. I've never seen a ransomeware that manged to encrypt previous versions.

I'm going to try diskdiger I had luck with it once

Thanks for your awesome work

Regards
 
Likes: Der.Reisende

cruelsister

Level 36
Content Creator
Verified
Joined
Apr 13, 2013
Messages
2,577
#10
I hope that UAC was either turned off or at less than Default. This will allow many things to trash Restore points. Another possibility is malware that works like my Chaos scriptor by ignoring UAC altogether; that would be very, very bad.
 
Likes: Der.Reisende

done

Level 5
Verified
Joined
Mar 19, 2015
Messages
216
#11
Now I think I understand what happened
The files of the crypto were created on May 2015 and I have restore point of June to August 2015
conclusions: the infection was on May this year, they occasionally used the computer until August and left it a side until now. all the restore point were created after the infection thats why previous version were infected

And yes UAC is disabled however now we know why the restore point were infected.

Now I found it hard to understand how come eset does not have it on his database after 6
months

Kind Regards
 
Likes: Der.Reisende