![]() ![]() The following are just some of the hosts which this Trojan connected to during our analysis: .com. The following are just some of the hosts which this Trojan connected to during our analysis: .com . The malware then connects to several hostnames in the Tor Network. The ransom notes demands about $700 USD to be paid in Bitcoin, and promises that the attackers will publish personal data and photographs online if the ransom is not paid. The malware then connects to several hostnames in the Tor Network. The ransomware downloads and encrypts locally stored data and network drives connected to the victimized computer. ![]() Emails included links to resources stored on Dropbox, which are instead the Chimera malware. Botfrei, the Anti-Botnet Advisory Centre, earlier this month published an advisory warning companies about the spread of Chimera and the messaging used to move the malware. As many of the peers use Tor, VPNs, I2P, etc and because all peers forward on the messages, there is no way to truly determine who the original sender was.”Ĭhimera popped up in September, spreading in business-related emails to companies in Germany. “All bitmessages are saved and distributed to other peers for two days, so the developer can move from location to location and still be able to access messages that were received during that time frame. “As long as the malware developer has access to a computer, they can access their bitmessages and retrieve new keys and send decryption keys,” Abrams said. The distributed nature of the system and the encryption afforded each message made it attractive to the attackers. Only those clients with a private key to access the message, in this case the attacker. Abrams worries, however, that other ransomware gangs may follow Chimera’s lead, in particular around its unique use of the Bitmessage peer-to-peer messaging protocol for communication and payment transactions between the attackers and victim computers.īitmessage operationally is similar to Bitcoin in that all users receive all encrypted messages through the system. “The decrypter that they have you download does sit there running while it waits for the decryption key to be sent to it, but we have the source code for it and it does not send data files anywhere.”Ībrams said that researcher Fabian Wosar of Emisoft has also looked into Chimera and his educated guess is that the rash of attention foisted upon the campaigns in Germany may have forced the attackers’ hand to shut down the operation. The encryption part of the malware also deletes itself after running, so there is nothing left to transmit them later,” Abrams said. “They encrypt the data files but do not transmit any details about these files or the files themselves anywhere during the encryption process. Lawrence Abrams of Bleeping Computer, however said that was indeed an empty threat and that the malware did not have the capability to do this. A number of security companies were publishing alerts about this latest strain of crypto-ransomware, which was primarily targeting users in Germany and made veiled threats of publishing victims’ encrypted data online. Researchers at Bleeping Computer said Tuesday that the malware was no longer active. ![]() It seems that as quickly as the Chimera ransomware surfaced, the operation has been shut down. ![]()
0 Comments
Leave a Reply. |