THREAT REMOVAL

We may not think of cyber crime as a “business sector” that also generates rivalry, but it doesn’t mean that cyber crime groups do not compete with each other. Having said that, it shouldn’t be too surprising that the author of one ransomware has leaked the decryption keys of another ransomware.

To be more specific – the author of Petya/ Mischa crypto viruses has disclosed the decryption keys of Chimera ransomware. In a normal situation, those keys would be available only to the ransomware operators and wouldn’t be public.

Now that the keys are leaked and are available online, security researchers at Malwarebytes have started working on a decrypter (decryptor) that should recover files locked by this crypto malware.

What Is Chimera Ransomware?

The original Chimera was infecting systems in October 2015, appending a .crypt extension to affected files. This threat could detect the user PC’s whereabouts and display the ransom message in different languages depending on the user’s location.

Read more about the Original Chimera Ransomware

Later, in November, a new variant of the crypto malware surfaces the Web. This variant combined scareware techniques with file encryption, and targeted companies. The result was the user, most likely an employee or the owner himself, being extorted in more than one way. On one hand, his files were encrypted, and on the other, he was threatened that his personal files would be made public, if the ransom was not paid on time.

Read More about the Extortionist Chimera Variant

How Did the Chimera Decryption Keys End Up Online?

Apparently, a Twitter user Janus who is the operator of a RaaS portal on the Dark Web, has leaked the keys, together with the following statement:

Like the analysts already detected, Mischa uses parts of the Chimera source. We are NOT connected to the people behind Chimera.

Earlier this year we got access to big parts of their deveolpment system, and included parts of Chimera in our project.

Additionally we now release about 3500 decryption keys from Chimera. They are RSA private keys and shown below in HEX format.

It should not be difficult for antivirus companies to build a decrypter with this informations.

Please also check our RaaS system, which now has its registration opened: […] LINK: https://www.sendspace(.)com/file/0fk7wj

The decryption keys leaked by Janus are the ones victims receive after they pay the ransom.

However, if these keys are made publicly available, there is no need for the victim to pay the ransom. But why did he do so? Perhaps he just wanted to attract the attention to his Petya and Mischa RaaS service, officially released just a few hours prior to this leak.