The operators behind the Petya and Mischa double-pack of ransomware trouble have been busy entrepreneurs this week, delivering a one-two punch to the competition.
One of those punches was to offer the two variants via Ransomware-as-a-Service (RaaS) so that any wannabe crook can become an official distributor.
The second punch: purportedly skewering a rival gang by releasing about 3,500 RSA private keys allegedly corresponding to systems infected with the ransomware Chimera.
On Tuesday, the operators posted those keys onto Pastebin, saying that this should enable someone to create decryptors for this older ransomware.
Here’s what the Mischa developers had to say:
Earlier this year we got access to big parts of their deveolpment [sic] system, and included parts of Chimera in our project.
Additionally we now release about 3500 decryption keys from Chimera.
It will take some time to determine if the leaked RSA keys will actually work to decrypt files locked up by Chimera and for someone to write a decryptor program, but for now, there’s at least hope that victims can get their data back. So don’t delete those encrypted files yet!
Unfortunately, it’s not time to relax: not by a long shot. Given the new affiliate system, which gives participants a chance to distribute the malware for a chunk of the profits, the RaaS variants are poised to be spread far and wide.
Lawrence Abrams, the founder of tech support forum BleepingComputer.com:
Unfortunately, this will most likely lead to a greater amount of distribution campaigns for this ransomware.
What to do?
We regularly offer advice on preventing (and recovering from) attacks by ransomware and other nasties.
Here are some links we think you’ll find useful:
- To defend against ransomware in general, see the Sophos paper “How to stay protected against ransomware“
- To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad
- To protect against misleading filenames, tell Explorer to show file extensions
- To protect against VBA malware, tell Office not to allow macros in documents from the internet
- To learn more about ransomware, listen to our Techknow podcast