Chimera ransomware not twitching, must be dead

The Chimera ransomware campaign has apparently had its life cut short, according to security researchers Lawrence Abrams of Bleeping Computer and Fabian Wosar of Emisoft. 

They discovered its inactivity, reporting that they were “no longer seeing keys distributed via the Bitmessage client".

Abrams told, "I monitored the subscription for approximately 48 hours and saw no activity and Fabian confirmed it on his end.”

Chimera is named for the monster of ancient Greek mythology with the heads of a goat, a lion and a snake and dates back to Homer's Epic tale of the Trojan war, The Iliad.

Chimera purported to knock it up a notch when it came to ransomware. Usually, ransomware like CryptoLocker merely encrypts the victim's files and then charges them for decryption. Chimera, however, not only did that but doubled down and promised to publish the user's files online if payment was not made: nude pictures, embarrassing documents and so on were considered fair game for Chimera.

However, researchers at Bleeping Computer found that it was not in fact possible to publish the user's private files online. Lawrence Abrams, the security company's founder, wrote in a blog post that “even though this is a scary threat, the reality is that Chimera does not have the ability to publish your files anywhere”.

Others noted that this does not, however, mean that the Chimera ransomware would not acquire that ability at a later date.

Much like other brands of ransomware, it asked the victim to pay in Bitcoin. Varying estimates have been given as to the average amount asked for nearly £500 or roughly two and a quarter Bitcoins.

The ransomers contacted the unlucky users through Bitmessage, a P2P messaging application which allows the transmission of encrypted messages which can only be decrypted by the recipient. Bitmessage sends messages through every client using the application so details that could identify the sender are effectively obscured.

Chimera seemed to target businesses in Germany, according to the German Anti-botnet Advisory Centre who published their own research on the new piece of ransomware and said that the ransomware would target specific employees within an organization.

Peter Meyer, the manager of ‘', told SC that the centre had first started seeing Chimera in August, “targeting specifically HR managers. Chimera surely wasn't the first campaign targeting HR people, but these emails were very sophisticated and targeted."

In September, Chimera widened its scope to larger groups within a targeted organisation.

Meyer doesn't know how many users were infected because “we and everybody else just see the tip of the iceberg.”

But, said Meyer, the centre received a three-digit number of requests for help regarding this trojan “but this is just a small snapshot of the total victims in Germany.” Meyer believes that “the rate of people paying was higher than in other ransomware cases like CryptoLocker, as people were scared of the risk seeing their personal data, pictures and videos on the internet."

Infection was via a phishing email inviting the victim to click on a Dropbox link. The trojan would download and immediately start encrypting the local drive and connected network drives as well. When the computer was restarted, the user would be treated to a black screen with a message informing them of their misfortune.

Lawrence Abrams of Bleeping Computer doesn't know if we'll see another better and stronger version of Chimera sometime in the near future, but the notable method of Bitmessage distribution may be one to watch: “It's possible, but I am guessing we will see another ransomware being created that uses the same Bitmessage distribution method instead.”

Ransomware attacks are on rise. Sian John, Chief Strategist at Symantec, told SC how you can avoid threats like this: By “taking some simple precautions – like checking your computer's software is up-to-date, avoiding suspicious websites and making sure your files are backed up regularly – you can significantly cut your chances of being infected.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.