It seems that as quickly as the Chimera ransomware surfaced, the operation has been shut down.
Researchers at Bleeping Computer said Tuesday that the malware was no longer active. A number of security companies were publishing alerts about this latest strain of crypto-ransomware, which was primarily targeting users in Germany and made veiled threats of publishing victims’ encrypted data online.
Lawrence Abrams of Bleeping Computer, however said that was indeed an empty threat and that the malware did not have the capability to do this.
“They encrypt the data files but do not transmit any details about these files or the files themselves anywhere during the encryption process. The encryption part of the malware also deletes itself after running, so there is nothing left to transmit them later,” Abrams said. “The decrypter that they have you download does sit there running while it waits for the decryption key to be sent to it, but we have the source code for it and it does not send data files anywhere.”
Abrams said that researcher Fabian Wosar of Emisoft has also looked into Chimera and his educated guess is that the rash of attention foisted upon the campaigns in Germany may have forced the attackers’ hand to shut down the operation. Abrams worries, however, that other ransomware gangs may follow Chimera’s lead, in particular around its unique use of the Bitmessage peer-to-peer messaging protocol for communication and payment transactions between the attackers and victim computers.
Bitmessage operationally is similar to Bitcoin in that all users receive all encrypted messages through the system. Only those clients with a private key to access the message, in this case the attacker. The distributed nature of the system and the encryption afforded each message made it attractive to the attackers.
“As long as the malware developer has access to a computer, they can access their bitmessages and retrieve new keys and send decryption keys,” Abrams said. “All bitmessages are saved and distributed to other peers for two days, so the developer can move from location to location and still be able to access messages that were received during that time frame. As many of the peers use Tor, VPNs, I2P, etc and because all peers forward on the messages, there is no way to truly determine who the original sender was.”
Chimera popped up in September, spreading in business-related emails to companies in Germany. Botfrei, the Anti-Botnet Advisory Centre, earlier this month published an advisory warning companies about the spread of Chimera and the messaging used to move the malware. Emails included links to resources stored on Dropbox, which are instead the Chimera malware. The ransomware downloads and encrypts locally stored data and network drives connected to the victimized computer.
The ransom notes demands about $700 USD to be paid in Bitcoin, and promises that the attackers will publish personal data and photographs online if the ransom is not paid.