UPDATED 00:19 EDT / JULY 29 2016

NEWS

Chimera ransomware keys leaked by rival gang as cyber-turf wars heat up

The ransomware business has gotten so profitable and so competitive that rival gangs are now sabotaging each other in a bid to secure more victims for themselves.

As revealed this week, the creators of the Mischa and Petya ransomware viruses have turned on the criminal gang behind the better-known and more widely-distributed Chimera ransomware, stealing its code and leaking around 3,500 RSA private keys that can be used by victims to recover their data.

The developers of Mischa pasted a message onto Pastebin on Tuesday, claiming that they managed to hack Chimera and steal its code earlier this year. They then integrated much of this code into their own ransomware – a claim that’s already been confirmed by security researchers at Malwarebytes, which said just a few weeks ago that Mischa shares many of Chimera’s components.

It’s not immediately clear if the leaked RSA keys actually work, but researchers at Malwarebytes said it’s possible they will.

“Checking if the keys are authentic and writing a decryptor will take some time – but if you are a victim of Chimera, please don’t delete your encrypted files, because there is a hope that soon you can get your data back,” Malwarebytes said in a blog post.

Chimera first made headlines last November when it was revealed to have added a new twist to victim’s dilemma. Not only did it lock up victim’s files and make them inaccessible, it also threatened to post those files onto the Web in plain text format if they didn’t pay the ransom. It’s not clear if Chimera’s makers ever followed through with its threats, but the threat of doing so was a novel way of amping up the pressure on victim’s who might otherwise have decided to just write off the lost files instead of paying to unlock them.

Mischa is a far more recent development. It’s first documented appearance was in May, and researchers say it’s usually bundled with a second ransomware program, called Petya, which encrypts the master file table (MFT) of victim’s hard drives. Petya’s encryption is harder to break, but requires admin access – that’s not always available, so Mischa acts as a kind of backup, directly encrypting a user’s files if admin privileges cannot be obtained.

At the same time as they released Chimera’s keys, thereby knocking one of its best-known rivals out of the game, the creators of Mischa and Petya also announced a new affiliate program that allows others to buy their ransomware and begin distributing it themselves – a practice that experts have now termed “Ransomware-as-a-Service”.

SiliconANGLE recently touched upon the economics of Ransomware-as-a-Service and the increasing competitiveness among cybercriminals eager to cash in on the phenomenon, and the actions of Mischa’s and Petya’s creators suggest a new escalation in the race to rip off PC users.

“Unfortunately, this will most likely lead to a greater amount of distribution campaigns for this ransomware,” said Lawrence Abrams, the founder of tech support forum BleepingComputer.com, in a blog post.

Image credit: bykst via pixabay.com

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU