The creators of “Petya” and “Mischa” ransomware leaked around 3,500 RSA private keys for the rival software, Chimera. The keys were allegedly from victims’ systems infected by the Chimera ransomware.
Mischa’s developers claim earlier this year they got access to big parts of the dev system used by the malware coder team who created Chimera. After the hack, the rival gang obtained the source code for Chimera and integrated some of it into their own ransomware project, according to a Pastebin message. Malwarebytes, an internet security company, already confirmed this fact in their report last month where they said Mischa shares “some components” with Chimera.
There’s no official confirmation yet that the leaked RSA keys would actually work in decrypting the files in Chimera-infected systems, however, there’s a big chance that they are legitimate. Malwarebytes researchers made this statement in their blog post:
“Checking if the keys are authentic and writing a decryptor will take some time – but if you are a victim of Chimera, please don’t delete your encrypted files, because there is a hope that soon you can get your data back.”
Chimera appeared in November, and it differs from other types of ransomware; it threatens the victims to not only encrypt their files if they don’t pay up, but they would upload them to the internet for anybody to see them. This fact has not been confirmed yet, according to tech researchers, this is just an intimidation tactic they use to get more money from the victims.
Mischa appeared in May and is usually coming with another ransomware program, Petya, that encrypts the master file table (MFT) of hard disk drives. While Petya’s form of encryption requires admin access, Mischa is used as a backup when the needed privileges cannot be obtained. Mischa acts like most ransomware programs, encrypting files directly.
On Tuesday, the coders of Mischa and Petya launched an affiliate system, which could turn their malware combo into ransomware as a service (RaaS) meaning other cybercriminals can sign up to distribute the malicious programs for a percentage of the profits. Lawrence Abrams, the founder of tech support forum BleepingComputer.com, said in a blog post about the affiliate program:
“Unfortunately, this will most likely lead to a greater amount of distribution campaigns for this ransomware.”