A New Version of the Chimera Ransomware

By   ISBuzz Team
Writer , Information Security Buzz | Nov 15, 2015 08:00 pm PST

Security researchers from Botfrei have published findings of a new version of the Chimera Ransomware that is currently targeting German SMBs. According to their report, and in a twist to previous ransomware campaigns, Chimera warns those unlucky to encrypt their files that, if they don’t pay, their data will be published online. Troy Gill, manager of security research at AppRiver, have the following comments on it.

[su_note note_color=”#ffffcc” text_color=”#00000″]Troy Gill, Manager of Security Research at AppRiver :

“While this specific threat is a new addition to the crypto ransomware malware family, it is in perfect keeping with typical malware attacks. Making threats is the name of the game when it comes to ransomware or ‘scareware’. However, I think it is very unlikely that the victim is in any real danger of having their actual documents posted online. With all instances of cryptographic ransomware that we have observed in the past few years, all have simply encrypted the users files on their machine. None have shown any evidence that the documents were exfiltrated from the victims machine. Doing so would be a significant increase in risk for the attacker with much less reward.

“I think it is noteworthy that MANY previous Cryptolocker attacks have relied on free cloud storage sites like Dropbox to distribute their payload. This could be the work of a very well established cybercrime group that is actively expanding their cybercrime portfolio”

“Whether this exact group of attackers expands their reach [outside of Germany] remains to be seen but I do think it likely. However, this is essentially a variant of cryptolocker with the added scareware element, so it could quickly be adapted by others making widespread use and adoption a very likely scenario. If this tactic (of threatening to release documents online) proves to increase the attackers effectiveness then we can rest assured it will become more widespread.

“Feeding the fire by paying these guys should be avoided if at all possible. Keeping a robust set of backups can neutralise this threat pretty easily and should be a priority for other reasons already. Better security and user awareness can also help minimise the likelihood of infection. If you have fallen victim already, the likelihood that you can reverse the encryption on your files is HIGHLY unlikely. So if you are desperate to have your files returned, then paying might be the ONLY option for you.  Just remember, there is no honour among thieves so don’t be surprised if they take your money and never give you the key to unlock your files.”[/su_note]

[su_box title=”About AppRiver” style=”noise” box_color=”#0e0d0d”]AppRiverAppRiver’s corporate headquarters is located in Gulf Breeze, Florida, USA, and our Europe, Middle East and Africa (EMEA) headquarters is in Lupfig, Canton Aargau, Switzerland. The Company also has a regional sales office in Northport, New York, USA and we maintain multiple, secure world-class data centers throughout the United States, Europe, and Asia. Our growing 170-member team protects more than 45,000 corporate customers and eight million mailboxes around the world.[/su_box]