Ransomware-peddling cybercrooks have come up with a sinister twist to their increasingly well-worn scam – online publishing.
Instead of just simply encrypting files on compromised Windows PCs, the relatively new Chimera ransomware offers victims a threat – if they don’t pay up, their data will be published online, presumably for all the world to see.
Scam emails punting the menace appear under the guise of job applications or business offers. Security researchers from anti-malware firm Botfrei spotted the ransomware, which is said to be targeting German SMBs.
If activated, Chimera also attempts to encrypt network drives connected to compromised Windows PCs, as a blog post by Botfrei explains.
So this is full-spectrum blackmail, providing cybercrooks are actually in a position to deliver on their threats. However, that seems far from certain.
For one thing, even Botfrei reports there is no evidence that personal data has actually been published on the internet. It doesn’t know whether private keys are handed over if victims meet extortionate payments either. All it knows is that the scam has been doing the rounds in Germany for at least the last couple of weeks.
Ransomware normally works by encrypting files on local machines without siphoning it off and storing it on the cloud. And there’s no immediate technical difference that would show Chimera ransomware is capable of any such thing.
Troy Gill, manager of security research at AppRiver, commented: "While this specific threat is a new addition to the crypto ransomware malware family, it is in perfect keeping with typical malware attacks. Making threats is the name of the game when it comes to ransomware or 'scareware'."
He added: “However, I think it is very unlikely that the victim is in any real danger of having their actual documents posted online. With all instances of cryptographic ransomware that we have observed in the past few years, all have simply encrypted the users files on their machine.
"None have shown any evidence that the documents were exfiltrated from the victims machine. Doing so would be a significant increase in risk for the attacker with much less reward,” Gill said, adding that Chimera is “essentially a variant of CryptoLocker with the added scareware element”.
“If this tactic (of threatening to release documents online) proves to increase the attackers effectiveness then we can rest assured it will become more widespread,” he concluded.
Whether the tactic will work is far from certain. Leaking otherwise locked-up data might actually suit some victims.
Ransomware, in general, highlights the need to keep backups, run up-to-date security software and apply common sense while surfing online, especially when it comes to opening suspicious email attachments and the like.
None of this is certain but anything that minimises the chances of getting infected ought to be encouraged. ®