Over the past two weeks there has been a lot of press regarding the Chimera Ransomware and its threats to publish your data online. Even though this is a scary threat, the reality is that Chimera does not have the ability to publish your files anywhere. This scare tactic, though, is not what makes the Chimera Ransomware interesting.  Instead it is its novel approach to distributing decryption keys to paid victims using the Bitmessage peer-to-peer messaging application.

Unlike other ransomware infections, Chimera does not have a TOR site that users can manage payments and download a decrypter. Instead, Chimera uses the Bitmessage peer-to-peer messaging application to communicate between the victim's computer and the malware developer's command and control server. This creates a decryption service that is incredibly portable, secure, and difficult, if not impossible, to take down as all the peers in the network are helping to distribute the keys.

To better understand how Chimera works we first need a quick primer on Bitmessage. Bitmessage is a peer-to-peer messaging application that allows a user to anonymously send encrypted messages that can only be decrypted by the recipient.  When a message is sent to someone on Bitmessage it is encrypted by the recipient's address, which is also their public encryption key, and sent to every client on the Bitmessage peer-to-peer network. When a Bitmessage client receives the message it tries to decrypt it using their own private keys. If a client is able to decrypt the message, then the client knows the message was intended for them and shows it in the Inbox. Since these messages are transferred through every client connected to the network, the sender's location and identity is kept private other than their non-personally identifiable address. 

Example of a Bitmessage Inbox
Example of a Bitmessage Inbox

Thanks to analysis done by Fabian Wosar of Emsisoft, we are able to see how Chimera uses Bitmessage as its communication method with the ransomware developer. When Chimera infects a user it uses an embedded PyBitmessage application to send a Bitmessage to the developer that contains information such as the victim's private key, the victim's hardware ID, and the victim's payment bitcoin address. According to Fabian, the "hardware ID is a hash based on the local NICs in that system, the volume serial number of the boot volume, and the computer name". 

Chimera will then begin to encrypt any data files it finds on connected drives. Analysis by Nathan Scott shows that only files with the following extensions are encrypted:

.jpg, .jpeg, .vmx, .txt, .xml, .xsl, .wps, .cmf, .vbs, .accdb, .ini, .cdr, .svg, .conf, .cfg, .config, .wb2, .msg, .azw, .azw1, .azw3, .azw4, .lit, .apnx, .mobi, .p12, .p7b, .p7c, .pfx, .pem, .cer, .key, .der, .mdb, .htm, .html, .class, .java, .cs, .asp, .aspx, .cgi, .h, .cpp, .php, .jsp, .bak, .dat, .pst, .eml, .xps, .sqllite, .sql, .js, .jar, .py, .wpd, .crt, .csv, .prf, .cnf, .indd, .number, .pages, .lnk, .po, .dcu, .pas, .dfm, .directory, .pbk, .yml, .dtd, .rll, .lib, .cert, .p12, .cat, .inf, .mui, .props, .idl, .result, .localstorage, .ost, .default, .json, .db, .sqlite, .log, .bat, .ico, .dll, .exe, .x3f, .srw, .pef, .raf, .orf, .nrw, .nef, .mrw, .mef, .kdc, .dcr, .crw, .eip, .fff, .iiq, .k25, .crwl, .bay, .sr2, .ari, .srf, .arw, .cr2, .raw, .rwl, .rw2, .r3d, .3fr, .ai, .eps, .pdd, .dng, .dxf, .dwg, .psd, .ps, .png, .jpe, .bmp, .gif, .tiff, .gfx, .jge, .tga, .jfif, .emf, .3dm, .3ds, .max, .obj, .a2c, .dds, .pspimage, .yuv, .zip, .rar, .gzip, .vmdk, .mdf, .iso, .bin, .cue, .dbf, .erf, .dmg, .toast, .vcd, .ccd, .disc, .nrg, .nri, .cdi, .ptx, .ape, .aif, .wav, .ram, .ra, .m3u, .movie, .mp1, .mp2, .mp3, .mp4, .mp4v, .mpa, .mpe, .mpv2, .rpf, .vlc, .m4a, .aac, .aa, .aa3, .amr, .mkv, .dvd, .mts, .qt, .vob, .3ga, .ts, .m4v, .rm, .srt, .aepx, .camproj, .dash, .txt, .doc, .docx, .docm, .odt, .ods, .odp, .odf, .odc, .odm, .odb, .rtf, .xlsm, .xlsb, .xlk, .xls, .xlsx, .pps, .ppt, .pptm, .pptx, .pub, .epub, .pdf

After the files are encrypted, Chimera will display a ransom note that explains what has happened to the victim's files, instructions on how to make a payment, and a link to the decrypter that needs to be running to decrypt your files when a payment has been made.

When a user downloads and install the decrypter, it will be installed into the C:\Program Files (x86)\Chimera Decrypter folder along with the Bitmessage application. Once started, it searches for your encrypted files and then sits on a page waiting for a payment to be made.  It can detect if a payment has been made by periodically connecting to Blockchain.info and checking the balance in the victim's assigned bitcoin address.

Chimera Decrypter waiting for a Payment
Chimera Decrypter waiting for a Payment

Once a payment has been detected, the screen will change to indicate that a payment was made and that you should leave the decrypter running until the key is sent to it. At this point, the decrypter also creates a Bitmessage subscription to the address BM-2cWsXQDYSueEKCtcJS8wzAka3KiYYYC9rB and labels it PaymentBroadcast. A Bitmessage subscription allow a subscription owner to broadcast messages to all subscribers. In this case the malware developer will use it to send a broadcast message that contains the private keys for paid victims who have not decrypted their files yet.

Chimera Decrypter waiting for the Decryption Key to be sent
Chimera Decrypter waiting for the Decryption Key to be sent

When the malware developer determines that a payment has been made, they create a new line in the message that contains the victim's hardware ID and BASE64 encoded private key separated by a colon and sends it to all subscribers of the PaymentBroadcast subscription. An example of a hardware ID and decryption key pair can be seen below.

56209A92A96E9F96B0D9E6F962D0D9EF:5Zn9azBBDQQznI9znnHZBDs6+nQz6nB9/6DBa0nXbDz0aghs6fg62Rn9ZzxnDGEzRQ9tFdIZDfa05Lz+nlb6IGnzSDQz0tznrdUzGgq9Nibzx0Zusl2aHn6nzZZE6tbQQe/vzbASDuanTBL5SazSARe52QSq6BEzD5rGqzZhnaLaZrfbI6bN6A6nnnH5lgbeSAzXdz+6eNxqQt9ITziIxF+eDFBBBVZ+zHf6esQzzH2uBnQnaHzzi6tDna9Xngfh6bzQQZBfq+vFbZ9ZfvnTL6D2arAnBzb6A06Qzfn2zRD5hz5eLZzDIDR00/anblbU2bvRTH6ZGaXDeBQQ5NHGhQEAAdZBtx/VaVQsrrDZdasadBHi0RDeZz0Da6glNRz9/U59zXaaeAN0Di5eb2zQtvr5h6Fvb6tzB9THtRUGS6Qzt6BxAz/zTg6gs56h5xXzSnslBQRzngandHzFTaBHix692DLxDaziQnZBQDQRB/Zz5HXQfNzz5aad90+uHAsDBDDVzZsngtbgSHDTzA2X5zQs2tHba5z99qF66IQHqZaZD2erzuDQzzx9NlXaTZEiH2IrVGSZizxEFQzLBl6+BDDn5zuG6x6zBhfaNB56nDUXt6BnzzuvNVq2xzDTn2lSu/QrHzNbFdGSLazTh29z5Fx9D5Zt6QBBrQ+aFuNDhASgDDH20UDnQB00gBa2t6/i+Lq6eV9ZHzzDdEn2T6HXfg+BEnvr5tXB5zZL2zbtvBVxFX2QsBZ9ZrzzG6fIvnvnz6NZ5endiz0IzAQ2Dbqa6gnnsSnznsVIizznibdZIFvF/nsqbVQZB9Zn2nBQUDTQzzDT65NxHzLRvz6VzZsQV5bih+S+shaD6ASaDFzHNQD9ZVIi+ZrafBxes6zqQaBfEs6z+Igd6nZhEzDLZZN/9QbhQzlzfBf5IFL0nqt2qqnSeqgz0bzQgZ9Dq6r50SB6xHhn9DfnNa6hR0DUiubDH5z0+n60UD0Uzz6ti6faD5Sz99f6dtQN6LUfZn/RagfiqnzTXZrvBZv95a9aT9u9tE6qLH0BSNArn0I9rF2eBDQH92zFUBBBVs9e/ZrXZ2Qaz/zn6BzxQ05qtqNQTZ6AS22z6nBf/200L66zasDHrzZ9agHAx2qBNUlRaUDFszInzzaLD5IzGQeQaAU60zz6nZQvVe906uDTXGlaZDDfBQUzD/nRDrZUaa2h59Hf5gbeezTHNiHBaBDzzQBx0BX5Zz92Z2zanfSZZ/2BRnzzzQBzxa/iIxiDNb6Qdd9Bh6/FQnfeznSv5rZ6DZitTGZZUAdzgD5azVAn2G/G+EssFuhV5aBb0N/N2q+2656zgxBBDzn2+0NIZLudxTXRsDNDza0V/9gzzEaqBdZax6QDlfnQhAVIn9XZu/D+gr9+ZRqz5266IBST5E5LBZed/s0zS2QHeBrIHnznZtez+02+Q+50g+ZUD6nrbhR2f+NzB6NgZ6ID9e5hnEEQ99xlnSDZT2aQN6QBRueDRZzNaTz6bvQrGhaBaeFl96hZDZLUDIu6rAzB

As you can see in the above message, the hardware ID and the private decryption key are separated by a colon. During the period of time that Fabian was monitoring this subscription broadcast, there were 13 keys being distributed as shown below.

PaymentBroadcast Messages in Bitmessage
PaymentBroadcast Messages in Bitmessage

When the decrypter receives a subscription broadcast it breaks the message apart into the different hardware ID and private key pairs and checks if the victim's hardware ID matches any of the ones sent in the PaymentBroadcast. If their hardware ID is detected, it decodes the decryption key, sends a message back to the malware developer to indicate that the key has been received.

You can see the code that decodes the subscription method, extracts the key, and notifies the developer below:

          foreach (InboxBitMessage inboxBitMessage in this._bitMessageApiClient.GetAllInboxMessages())
          {
            if (inboxBitMessage.From.Equals("BM-2cWsXQDYSueEKCtcJS8wzAka3KiYYYC9rB") && inboxBitMessage.Subject.Equals("PaymentBroadcast"))
            {
              string content = inboxBitMessage.Content;
              char[] chArray = new char[1]
              {
                '\n'
              };
              foreach (string str in content.Split(chArray))
              {
                try
                {
                  string[] strArray = str.Split(':');
                  if (strArray[0].Equals(message))
                  {
                    this.MainWindowViewModel.Session.PrivateKey = strArray[1];
                    this._bitMessageApiClient.SendMessage("BM-2cWsXQDYSueEKCtcJS8wzAka3KiYYYC9rB", this._bitMessageApiClient.CreateRandomAddress("Address", false, 1, 1), "DecryptionMessage", message, 2);
                    this.Running = false;
                    break;
                  }
                }
                catch
                {
                }
              }
            }
          }

Once the decrypter is able to retrieve the key for a victim it automatically begins decrypting the encrypted files. 

As you can see, using Bitmessage is a novel approach to managing the distribution of decryption keys as it does not require a dedicated server, hides the identity of the malware developer, and is very difficult, if not impossible, to take down. At the time of this writing it does not look like the Chimera Ransomware is active anymore, but with the success of this distribution method, I would not be surprised to find future malware that utilize it.