The ‘scareware' variant of the Chimera ransomware trojan has been spotted by the Cologne-based anti-botnet advisory centre, Botfrei (‘Botfree').
The agency says Chimera is a classic blackmail trojan which is now targeting specific employees in German companies with fake emails about job applications or job offers.
The emails point them to a Dropbox address to get more information but if victims click on the link, Chimera instantly starts to encrypt their computer files and the data on their corporate network.
In an extra twist, Chimera also threatens to publish their photos and other personal information online if they fail to pay the 2.45 bitcoin (£450) ransom.
But in a 26 October blog, Botfrei says there is so far no evidence that the criminals have stolen or published any personal data, saying: “Fear and intimidation is their motivation.”
Independent security experts also see Chimera's latest variant as “new and scary” but are divided on whether its promise to publish personal photos is a bluff.
Mark James, security specialist with ESET UK, told SCMagazineUK.com via email: “It's certainly a new take on the ransomware scenario, but copying that data offsite for public dissemination is to be honest not worth the time and effort involved. Also it increases massively the amount of footprint this type of malware will leave behind for the authorities to follow.
“I would imagine the scare tactic to enforce the payment is the main goal here and actually removing data is not on the agenda – but let's be clear, it's not impossible to do.”
James also believes Chimera is likely to spread to English-speaking countries such as the UK. “We have seen many variants of CryptoLocker targeted for different countries and tailored for maximum effectiveness and this was very successful. There is no reason to suggest that this is localised and will only stay in Germany,” he said.
Bob Covello, an information security analyst with The Navigators Group and 20-year technology veteran, is more convinced that the photo-posting threat is a bluff.
In a 1 November blog analysing the latest Chimera version he said: “This is a new and scary development in ransomware, but I am willing to make a bold prediction that it is a scare tactic with no teeth.
“Photos, videos, music files and all the other targets of modern ransomware add up to an enormous amount of data. If the data was exfiltrated to an external entity, not only would the storage amount to a massive collection, but the trail to the storage location would be easy for the authorities to trace.
“Another problem with this threat is it would assume that someone is combing through the files for that personal information. This is a level of involvement that most ransomware criminals do not want to broach. Ransomware is designed for a quick payday for the criminals with little interaction with the victim.”
Covello also criticised advice given by the FBI last week to pay ransoms: as SCMagazine.com (our US sister publication) reported, FBI assistant special agent Joseph Bonavolonta reportedly told the Cyber Security Summit in Boston that “we often advise people just to pay the ransom", because the Bureau cannot crack the encryption.
But Covello said they “should help victims rather than advising them to support a criminal enterprise”.
Mark James agreed: “My recommendation would be to not pay at all, as you would quite simply be funding criminal behaviour. Make sure your applications, operating system and security software is up-to-date and make sure you backup regularly is the best defence against this type of behaviour. Backup options these days are so cheap that it really is a no-brainer: DO NOT PAY.”
We contacted Botfrei for more information but they had not responded by time of writing.
