Chimera Ransomware

Next story


Ransomware and scareware tactics have met a dangerous union in a new variant of the ‘Chimera’ ransomware. Once infected ‘Chimera’ threatens to publish your personal photos and files if you miss the ransom payment deadline.

Ransomware has been the talk of the town for a little while now. It’s a big fear for both home and business users and new variants and varieties seem to be cropping up almost daily.

A new version of the ransomware known as ‘Chimera’ has begun to borrow from another malware family: scareware.

Once Chimera is done encrypting your files in the standard ransomware fashion it displays a message threatening to publish your personal photos and files online unless you pay up before a deadline.

“Infect, report, encrypt, extort…”

Existing ransomware already borrows slightly from the scareware manual: having a scary looking pop-up, sometimes saying they are from a government or official body etc. Mark James, ESET IT security specialist, explains that this is a new take on ransomware.

“It’s certainly a new take on the ransomware scenario. General tactics until now have always been to infect, report, encrypt, extort then you pay and you’re lucky if your data gets decypted.

“Copying that data offsite for public dissemination is to be honest not worth the time and effort involved in the process.

“It’s all about that first initial impact of the ransom, the goal is to get the end user to act on impulse and pay the fine as quickly as possible with as little fuss as they can achieve.”

The idea of the “initial impact” raises an important question: will they follow through on their threats? Or are they there to make the “initial impact” more impactful?

The security firm responsible for uncovering Chimera, Botfrei in Germany, say there is no evidence that any private data has been published due to Chimera, so how likely is it to happen?

“Likely yes, practical no. Not only do we need to look at the amount of online storage and data transfer involved but also it massively increases the footprint this type of malware will leave behind for the authorities to follow.”

Multilingual malware

Currently the malware only appears to be in Germany targeting German businesses but surely with a malware of this nature it will make the jump to English and begin targeting English speaking countries like the UK or US?

“Quite likely indeed, we have seen many variants of cryptolocker targeted for different countries and tailored for maximum effectiveness and this was very successful, there is no reason to suggest that this is localised and will only stay in Germany.”

As with any ransomware or scareware the best, and often only way, to deal with it is to first remain calm and then restore your data from a backup.

My recommendation would be to not pay at all, you are quite simply funding criminal behaviour. Making sure your applications, operating system and security software is up to date and make sure you backup regularly is the best defence against this type of behaviour, backup options these days are so cheap it really is a no brainer, DO NOT PAY.”

Have you ever been a victim of scareware or ransomware? How did you react?

Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.

Are you Serious about Security? If you are then check out everything that’s going on during Security Serious week.