In a weird twist on Stockholm Syndrome, the Chimera ransomware is taking victims hostage, then recruiting them to be part of the criminal team, according to researchers at Trend Micro's Trend Labs.
Compared to other ransom messages, Chimera's is refreshingly brief, straightforward, and polite: it says "please" twice. What's particularly noteworthy, though is the addition at the bottom:
"Take advantage of our affiliate program! More information in the source code of this file."
The disassembled code does actually contain contact info -- a Bitmessage address through which both parties can have their identities masked and their communication encrypted. From the report:
Peddling ransomware as a service (or RaaS) has some advantages. RaaS lessens the possibility of the illegal activity being traced back to the creators. Selling ransomware as a service allows creators to enjoy some profit without the increased risk of detection. For Chimera, the commission is 50%, a large payoff for lesser effort.
The drawback of the model is that the code itself is less sophisticated -- with a weak command-and-control infrastructure and no obfuscation techniques.
Chimera first appeared on the scene in September, demonstrating another unique tactic -- threatening to publish a victim's files online if payment is not received. The threats, however, might be empty. According to TrendLabs, "our analysis reveals the malware has no capability of siphoning the victim's files to a command-and-control (C&C) server."
It's not uncommon for ransomware to make empty threats. As Engin Kirda, chief architect at LastLine, has told Dark Reading before, some ransomware claims to encrypt files when it can't. Yet, as Michael Sentonas, vice president and chief technology officer of Security Connected for Intel Security, wrote on Dark Reading, "It is not clear if Chimera actually exports your files and can carry out the threat, but if it cannot, the next one will."