Chimera Ransomware Trying To Recruit More Operators From Victim PoolChimera Ransomware Trying To Recruit More Operators From Victim Pool
Malware that first appeared in September is now building a ransomware-as-a-service business.
December 3, 2015
In a weird twist on Stockholm Syndrome, the Chimera ransomware is taking victims hostage, then recruiting them to be part of the criminal team, according to researchers at Trend Micro's Trend Labs.
Compared to other ransom messages, Chimera's is refreshingly brief, straightforward, and polite: it says "please" twice. What's particularly noteworthy, though is the addition at the bottom:
"Take advantage of our affiliate program! More information in the source code of this file."
The disassembled code does actually contain contact info -- a Bitmessage address through which both parties can have their identities masked and their communication encrypted. From the report:
Peddling ransomware as a service (or RaaS) has some advantages. RaaS lessens the possibility of the illegal activity being traced back to the creators. Selling ransomware as a service allows creators to enjoy some profit without the increased risk of detection. For Chimera, the commission is 50%, a large payoff for lesser effort.
The drawback of the model is that the code itself is less sophisticated -- with a weak command-and-control infrastructure and no obfuscation techniques.
Chimera first appeared on the scene in September, demonstrating another unique tactic -- threatening to publish a victim's files online if payment is not received. The threats, however, might be empty. According to TrendLabs, "our analysis reveals the malware has no capability of siphoning the victim's files to a command-and-control (C&C) server."
It's not uncommon for ransomware to make empty threats. As Engin Kirda, chief architect at LastLine, has told Dark Reading before, some ransomware claims to encrypt files when it can't. Yet, as Michael Sentonas, vice president and chief technology officer of Security Connected for Intel Security, wrote on Dark Reading, "It is not clear if Chimera actually exports your files and can carry out the threat, but if it cannot, the next one will."
About the Author(s)
You May Also Like
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware