There is no honor among thieves, as the saying goes, and that includes ransomware crooks. In an apparent move to sabotage a ransomware competitor, the authors of the Mischa and Petya ransomware-as-a-service leaked 3,500 decryption keys for its competitor Chimera ransomware.
The move appears to be an attempt to push ransomware criminals to ditch Chimera service and push them toward a new offering by Mischa and Petya ransomware developers.
News of the leaked Chimera decryption keys came from Twitter user JanusSecretary who on Tuesday tweeted a link to the keys and a message that stated:
“Additionally we now release about 3500 decryption keys from Chimera. They are RSA private keys and shown below in HEX format. It should not be difficult for antivirus companies to build a decrypter with this informations.”
— JANUS (@JanusSecretary) July 26, 2016
Kaspersky Lab on Wednesday updated its RakhniDecryptor ransomware utility (version 18.104.22.168) that now decrypts files infected with the Chimera ransomware, allowing those impacted to get their data back sans paying a ransom to crooks.
The roots of the decryption key leak can be traced to the ransomware Mischa and its use of portions of source code from the Chimera ransomware. “According to the (Petya) devs, at some point they gained access to the Chimera development system and used some of their Chimera code in their own project,” wrote computer forensics expert Lawrence Abrams who maintains the BleepingComputer website. “While they gained access, it appears they took the Chimera decryption keys along with the code,” he added.
The popularity of Chimera ransomware has significantly diminished over time. Last November, BleepingComputer reported the ransomware operation had shut down. The crypto-ransomware was first spotted in September 2015 targeting users in Germany. It was unique because it made veiled threats of publishing victims’ encrypted data online.
Perhaps it’s no coincidence the death knell blow to Chimera ransomware authors coincides with a new campaign by Petya and Mischa developers. According to BleepingComputer researchers, on the same day Chimera keys were made public, Petya and Mischa developers began to formally offer ransomware marketed as Petya & Mischa RaaS. Abrams observed, in a recent research post, Petya and Mischa developers have been testing the new ransomware strain in partnership with a number of “high volume distributors.”
Petya and Mischa developers appear to have tightened their connection to one another this past May. That’s when Petya escalated its crypto-malware campaign by more aggressively targeting not just data on victim’s PCs, but also the Master File Table on compromised machines. At the time, if Petya ransomware could not reach the MFT it would attempt to install the Mischa ransomware.
In a May 2016 Threatpost report Abrams said the Petya gang was “leaving money on the table” in the form of any failed Petya installations. The counter was the bundling of the Mischa ransomware into the Petya installer that would execute if Petya failed.
“As of today, any would-be criminal can sign up and become an official distributor. Unfortunately, this will most likely lead to a greater amount of distribution campaigns for this ransomware,” Abrams wrote.