Ransomware Author Leaks Rival’s Decryption Keys

Ransomware Author Leaks Rival’s Decryption Keys

Victims of the Chimera ransomware were thrown a lifeline this week after a rival malware author appeared to leak the decryption keys online.

Spotted by Malwarebytes on Tuesday, the Twitter user @Janussecretary posted a link to a Pastebin document containing the keys and a message.

The user claimed to be the author of the Mischa ransomware, adding:

“Like the analysts already detected, Mischa uses parts of the Chimera source. We are NOT connected to the people behind Chimera. Earlier this year we got access to big parts of their development system, and included parts of Chimera in our project.

Additionally now we release about 3500 decryption keys from Chimera. They are RSA private keys and shown below in HEX format. It should not be difficult for antivirus companies to build a decrypter with this information.”

However, Malwarebytes claimed it would take some time before it could be sure the decryption keys are genuine and to write a decryptor tool with them.

This isn’t the first time that ransomware victims have been rescued by an unlikely source.

In May, Avira researcher Sven Carlsen revealed that someone with access to one of the C&C servers linked to the infamous Locky ransomware had replaced the malware with a 12kb binary with the message ‘Stupid Locky.’

Ransomware continues to cause havoc for consumers and organizations that are struck down.

New stats from Panda Security yesterday claimed that the category dominated the 18 million new malware samples it discovered in the second quarter.

The firm said that over just a three-week period it had blocked 3000 instances of Cerber ransomware which was being spread using Windows Management Instrumentation Command-line (WMIC).

The smart advice is to take a preventative approach, using layered defense at the web and email gateway, endpoint, server and network level. IT admins are also advised to back-up data using a 3-2-1 approach – that is, at least three copies, in two different formats and one copy residing off site.

Source: Information Security Magazine