Threat Management, Incident Response, Malware, TDR

Ransomware Chimera is back, offering victims commission

Chimera, once thought to be dead, is back and offering victims an opportunity to earn commission by selling the ransomware to others.

Researchers at Trend Micro observed Chimera offering its victims an opportunity to join its “affiliate program” where they are offered a 50 percent commission for selling the ransomware as a service (RaaS), according to a Dec. 3 blog post.

Victims receive the offer in the same message that demands they pay a Bitcoin ransom. Those interested are instructed to look in the source code of the file for more information which researchers found to be a Bitmessage address that can be used for peer-to-peer encrypted messaging.

By offering victims and potential business partners a cut of the profits, researchers speculated the creator(s) of the malware lessen the possibility of being caught by authorities by convincing others to do their bidding. But, it was unclear if victims get any sort of discount on their ransom for joining.

The ransomware also exhibited the unique traits of threatening to publish the locked files online if the user doesn't pay and uses a separate decryption software program, in conjunction with Bitmessage, to deliver the decryption key if a victim does pay.

The threat to publish the locked information is likely a social engineering tactic Paul Ferguson, senior threat researcher at Trend Micro told

“Our analysis reveals that despite the threat, the malware has no capability of siphoning the victim's files to a command-and-control (C&C) server. The only information it sends to its server is the generated victim ID, Bitcoin address, and private key,” the blog said. 

Ferguson told SCMagazine that the separate decryptor and Bitmessage are most likely used to “further ensure that the sender of the ransom message cannot be traced back to a user account, and possibly lead to attribution of the criminal's true identity.”

Ferguson said victims are often infected via various exploit kits and drive-by-style download attacks and that potentially anyone could be at risk and the perpetrators are financially motivated. He speculates that they are based in Eastern Europe adding there is the possibility that an organized crime nexus could be involved, although he isn't certain.

The ransomware has both an English and German version so the attackers are most likely targeting users in the U.K., Germany and the U.S., Ferguson said, adding that if the malware authors can get roughly one out of every ten victims to pay it would be worth their return on investment.

“Don't pay, if they pay there's not guarantee you'll get your data beck,” Ferguson said. He added that there are several copy cat scammers that will take peoples' money and run.

It's better if people back up there data ahead of time on devices that aren't linked to their computers physically or virtually, he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.