Security Experts Develop a Decryptor for Chimera Thanks to Leaked Private Keys
This summer, PC security experts have witnessed a bright example of how the rivalry between malware creators can come to the benefits of victims. The author of ransomware families Mischa and Petya released to the public a set of decryption keys for rival ransomware variant Chimera, claiming he hacked the servers of his competitors in an attempt to ruin their business. It took less than a month for researchers to find out that the keys are genuine , yet the case also proved that ransomware threats, in general, keep evolving.
On July 26, 2016, Twitter user Janus published Chimera decryption keys and explained his actions in a statement. The note says the hacker had gained access to the development system of Chimera and extracted parts that he later used for his own ransomware, Mischa. Also, Janus leaked a HEX file containing 3,500 RSA private decryption keys that victims of Chimera can use to decrypt their files. These private keys are normally sent to victims after they pay the ransom, so having them on hand would mean that the Chimera revenue source has been shut down forever. Yet, experts doubt this was the only reason for Janus and his team to make this data public. However, it looks like the statement served to market their own Petya&Mischa RaaS (Ransomware-as-a-Service). The crooks launched it just a few hours before publishing the keys, and obviously, they hope it would follow up on the Chimera affiliate program.
Chimera has been around for several years, though one of its variants from November 2015 contained some new features. The new variant's strategy involved threatening victims that their private files would be infiltrated and published if they did not pay the ransom on time. Researchers proved this impossible, however, the Chimera ransom note contained another interesting message for them: "Take advantage of our affiliate-program! More information in the source code of this file."
By analyzing the ransomware's code, experts found in it an integrated service that allowed the secret exchange of messages via P2P connections. It means that Chimera creators offered their code as a Ransomware-as-a-Service option where other hackers could use the encryption algorithm in exchange for a commission. The marketing strategy did not seem very clever as it required infecting another hacker with the malware (normal PC users would not be able to take advantage of the offer). Petya&Mischa creators now found a clever way to sell the service and to raise their profits at a lower risk of being traced back.
Ransomware threats will persist, but Chimera and its RaaS platform, in particular, seem to be extinguished for now. With the leaked keys, white hat hackers had all the needed parts to develop a decryptor that would allow victims to save their files. Chimera authors provided a link from which victims could download an external tool for decryption. The tool works only with the private key that fits the public key used to encrypt the data, so researchers only needed to conduct some tests to validate the authenticity of the leaked keys.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.