14 DAY TRIAL // The latest version of the Chimera ransomware has added an affiliate program option that for some particular strange reason, encourages victims to join in the fun.
The Chimera ransomware has been around for some years (Ransom_CRYPCHIM.A), but recently got the public's attention after, at the start of November, one of its recent variants started threatening users to publish their files online, if the user didn't pay the ransom in time.
We've talked about Chimera's shady tactics in a previous article, and about the ransomware's technical impossibility to exfiltrate and then publish encrypted files. In this article, we'll talk about a recent addition to Chimera, noted by security researchers from Trend Micro.
Chimera creators are looking for partners in crime
According to Anthony Joe Melgarejo, Threat Response Engineer for Trend Micro, Chimera's authors started showing a peculiar message at the bottom of the ransom note.
The message reads, "Take advantage of our affiliate-program! More information in the source code of this file."
The researcher went through the ransomware's code and eventually found a Bitmessage address, a service that enables secret message exchanges between two individuals via P2P connections.
Apparently, the message at the bottom of the ransom screen was not an accident, and Chimera's creators have decided to offer their code as a ransomware-as-a-service (RaaS) offering.
The ransom note may not be the best place to advertise a RaaS
The whole thing is quite strange, mainly because this message is shown to the ransomware's victims, and not on hacking forums on the Dark Web.
The entire tactic is a little bit stupid, mainly because Chimera would have to infect another hacker for him to see the message, and the ransomware's creators would have had more success if they had promoted their RaaS platform on forums like Darkode.
"Peddling ransomware as a service (or RaaS) has some advantages. RaaS lessens the possibility of the illegal activity being traced back to the creators," says Mr. Melgarejo. "Selling ransomware as a service allows creators to enjoy some profit without the increased risk of detection."
And to be honest, we don't think Chimera would have any success anyway, mainly because of its high 50% commission, much higher than what the competition is offering. For example, FAKBEN is offering its RaaS platform for only a 10% fee.
