New ransomware threatens to make private files public

Chimera malware started by targeting systems within German businesses

New ransomware threatens to make private files public
New ransomware threatens to make private files public

 Criminals has upped the ante with new ransomware that threatens to not only encrypt data but also to publish those files on the internet if victims don't pay up.

According to a blog post by IT security organisation, the Anti-Botnet Advisory Centre, a service of the German Association of the Internet Industry, the malware has been doing the rounds on computers within German businesses and organisations.  

The malware has been sent via email to firms disguised as job applications or business offers. The emails contain a link to a malicious file hosted on Dropbox.

Once installed, Chimera encrypts both local files and those on network drives connected to the machine. When rebooted, the computer displays a ransom note on the user's desktop asking for a payment of around €630 in Bitcoin to provide a key to decrypt files.

However, the malware goes one step further than similar ransomware demands. The note also said that if no payment is forthcoming, the hackers would publish the user's files on the internet.

“At this point, there is no evidence whether personal data has been published on the internet or not – same as we haven't heard of a case where the cyber-criminals have released the data after paying the €630 in Bitcoins,” said Anti-Botnet Advisory Centre.

Neither the ransom note nor the malware clarifies whether files are exfiltrated by hackers prior to being encrypted, but the threat could make users pay up, even if they had backed up copies of encrypted data. 

The organisation advices victims to not pay up if their machines have become infected, despite the extra warnings over making files public.

Steve Ward, senior director at iSIGHT Partners, told SCMagazineUK.com that while his firm has not independently analysed the Chimera ransomware to confirm its activity, the described threat of leaking the data is unlikely to be true.

“Instead, the ransom message is probably intended to increase the likelihood that enterprises will pay the ransom. As ransomware campaigns are often broadly targeted, organisations should ensure they have robust data backup policies and redundant storage of the most important data to ensure that critical information is not lost if an infection occurs,” he said.

Richard Cassidy, technical director EMEA at Alert Logic, told SCMagazineUK.com that the proliferation of what is essentially the 4th edition of Cryptowall presents users (business and personal) with a new headache, at a critical time for businesses globally in the run up to various national holiday periods.

“We've noticed a number of modifications to this ransomware from earlier versions in the way that the malware is delivered to the end-user machine, how it encrypts and obfuscates filenames differently to previous versions and additional malware dropped onto infect host systems for further compromise activity,” he said.

“It also attempts to infect shared drive connections, which means once it has a foothold it can more effectively spread itself right across the organisation. All in all, it's harder to detect at a host level through existing security tools and presents a real problem for users and organisations that fail to follow best-practice security principles in terms of online activity.”

Cassidy added that while the malware purports to publish data, his firm has yet to see anything showing this to be true.

“Until we've seen an example of how the data is published, it's hard to dissect things to ascertain if/how the authors might be tracked through this activity, however it could certainly be feasible,” said Cassidy.

“The challenge we have today is that most malware is written to use anonymity networks (such as TOR) and compromised public websites and data-stores to perform a great deal of the malware functions. Typical tracing will normally be down to monitoring how funds move into and out of Bitcoin wallets from ransomware payments made by users who have been infected.”

Cassidy said the the best form of protection is for better awareness in online activities.

“If we look at Chimera it targets business organisations using social engineering through various business related topics, but the key indicator here is that it asks the user to download files from a public data-store location. In almost all instances we need to question the sender in terms of opening untrusted/unknown files and if we're not happy with the response, we simply shouldn't take the risk.”

He added that if systems become infected, then a good backup policy will ensure recovery to a pre-infected backup and users can learn from their mistakes. “Without either of these in place, organisations and users will be in a very poor position indeed to prevent this activity from successfully infecting them.”

Wim Remes, strategic services manager EMEA at Rapid7, told SCMagazineUK.com that even if hackers published data, it would be hard to trace these criminals.

“It won't necessarily point back to the hackers as there are enough anonymous ways to publish data. I do suspect that the threat is made solely to give the victim a sense of urgency and force them to pay the ransom. Ransomware is, first and foremost, a revenue stream for their creators,” he said.

Dr Guy Bunker, senior VP products at cyber security company Clearswift, told SCMagazineUK.com that when it comes to organisations protecting themselves against this kind of attack, they must accept there is a risk. “Accept that this is probably a matter if ‘when' not ‘if'. Look at putting in place protection to mitigate it,” he said.

He said that employees should be told of these risks.

“Ensure that they know this is a problem and so to remain vigilant and cautious when using cloud collaboration services. When in doubt, don't click the link… send email (or use the phone) with the originator to double check that the file is bona fide,” he said.

Bunker also urged companies to update corporate acceptable usage polices and processes to deal with both use and what happen if there is an infection caused by this type of attack.

Sign up to our newsletters