Chimera ransomware has been around for some time, and while the operation was believed to have been shut down in 2015, it has recently made a come back, with an upgrade that is even nastier than before. Chimera is a Trojan, which means that it cannot spread by itself, but instead relies on its victims to share and install the program. The new strain focuses more on businesses as opposed to individuals, as they are more likely to pay the ransom. It is assumed that Chimera ransomware primarily targets German companies, as the ransom note is written in German. As it currently stands, there are no tools available that are capable of decrypting the files.
How Does Chimera Ransomware Work?
Chimera is typically delivered via phishing emails containing malicious Dropbox links. However, it can also be distributed via drive-by downloads and malvertising. As with most forms of ransomware, once it has been executed, it will encrypt the victim’s files, and then leave a ransom note instructing them to pay a ransom (usually in bitcoin) for the decryption key. The ransom amount is currently said to be around 1 BTC, which, as of now, is just under $20,000. Victims are instructed to pay the ransom via the TOR browser, in order to maintain anonymity. The Chimera group uses a peer-to-peer messaging protocol called Bitmessage, to communicate with their victims.
The Chimera group has also made claims that they steal the victim’s data before it encrypting it. They then threaten to publicly disclose the data if the victim refuses to pay the ransom. However, the Anti-Botnet Advisory Centre has not found any evidence of stolen files being published. In fact, there isn’t any evidence that Chimera actually steals the data at all. Chimera will also try to delete shadow volume copies of files, which means that tools like Shadow Explorer may not be able to restore them.
How To Recover From A Chimera Ransomware Attack
If your system has been infected by Chimera ransomware, the first thing you will need to do is disconnect your device from the network. You probably won’t need to remove the Chimera script as it allegedly deletes itself once all files have been encrypted. That said, it is always a good idea to perform a malware scan in order to remove any traces of infection (other than the encrypted files). You will also need to reset all relevant credentials and install the relevant security updates. While Chimera will try to delete shadow volume copies of your data, it is still worth seeing if you can restore them anyway. Failing that, you will need to wipe your device, re-install your operating system, and restore your files from a backup, assuming you have one. As always, you should avoid paying the ransom at all costs. After all, there’s no reason to assume that the attackers will make good on their promise to provide you with the decryption key. And let’s not forget, that paying the ransom will only encourage them to target more victims.
How To Prevent A Chimera Ransomware Attack?
As we all know, prevention is better than a cure, and this is especially true when it comes to ransomware attacks, as they can be very hard to recover from. Below are some of the most relevant preventative measures that you can implement in order to minimize the likelihood of a Chimera ransomware infection.
Conduct regular training
All employees must be sufficiently trained to identify suspicious emails and websites.
Take regular backups
Backup procedures should be automated, and backups should be stored in a secure location.
Install the relevant patches
Ensure that all software is patched in a timely manner. Use an automated patch management solution to streamline the process.
Use Software Restriction Policies
Group Policy users have the option to set up Software Restriction Policies to prevent certain users from installing certain types of applications.
Monitor network traffic
Use a sophisticated Intrusion Prevention System (IPS) to respond to anomalous network traffic, such as files being sent to the attacker’s C&C server.
Detect and respond to suspicious file activity
Use a data-centric file auditing software that can detect and respond to events that match a pre-defined threshold condition. For example, if x number of files have been encrypted or copied within a given time frame, you can execute a custom script that will prevent the attack from spreading.
If you’d like to see how Lepide can help you prevent ransomware attacks, schedule a demo with one of our engineers.