Chimera Ransomware Uses Peer-to-Peer for Decryption

A recent ransomware operation uses an uncommon peer-to-peer system to collect data about users and distribute the important security keys to those who are willing to pay to get their data back.

Ransomeware Key

A ransomware program known as Chimera has adopted a relatively unknown peer-to-peer messaging system to communicate with the criminals’ command-and-control server, making investigating the infrastructure more difficult, according to security researchers.

The messaging system, known as BitMessage, is a communications system that allows messages to be encrypted, prevents spoofing and relieves the user of any need for key management. While the system is intended to help regular people secure their communications, criminals have adapted the software as well.

Chimera uses the peer-to-peer system to collect information about a victim’s system and then invokes a code key to encrypt their data, Chimera makes it much more difficult for investigators to find the servers used to manage the ransomware, Fabian Wosar, a developer for security-software firm Emisoft, told eWEEK in an e-mail interview on Nov. 19.

“It makes it a lot more difficult to shut the entire operation down, as it is not as simple as finding and closing down the malware author’s server,” he said. “The actual payments are done using Bitcoin, so tracking the payments is not more or less difficult than with most other ransomware these days.”

The Chimera ransomware gained attention earlier this month for its operators’ claim that they would publish data stolen from any victim who did not pay the ransom. Yet, security researchers argued that such functionality would be very difficult to efficiently manage. Currently, ransomware is profitable because the attack is very scalable, and infecting and collecting money from a large number of victims is fairly easy. If data is stolen, however, it would mean a great deal of work for the criminals and it could possibly leave a trail back to their operations, making the crime more complex and hazardous.

In addition, Wosar, who analyzed the malware, found no code capable of stealing data from victims’ systems.

While its threat to publish victims’ private data has fallen flat, the Chimera ransomware’s use of a peer-to-peer encrypted messaging system poses a more significant danger, according to security researchers.

After it infects a victim’s system, Chimera will send information about the system and encryption keys to the operator of the scam, according to an analysis in malware information site BleepingComputer. When Chimera has finished encrypting a computer’s data, the program will use a feature of BitMessage, known as a subscription, to act as a communication channel between infected systems and the command-and-control servers.

The subscription channel used by Chimera has reportedly fallen silent this week, suggesting that the ransomware operation may be changing its infrastructure or shutting down.

"At the time of this writing it does not look like the Chimera ransomware is active anymore, but with the success of this (encrypted) distribution method, I would not be surprised to find future malware that utilizes it," Lawrence Abrams, computer forensics expert and owner of BleepingComputer, wrote in his analysis.

Chimera first started infecting systems in Germany earlier this fall, according to security-information site Botfrei.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...