Chimera targets Windows OS and spreads via spear-phishing emails containing a link to a URL or a Dropbox file that hosts malicious downloads. Chimera then encrypts all files on the target system as well as data stored on mapped network drives, changing the file extensions to .crypt. Once that process is complete, Chimera displays a ransom note that threatens to release victims’ private data online if they do not pay. If payment is made, Chimera transfers the decryption key from the C2 server to the infected system using Bitmessage, a peer-to-peer (P2P) messaging application. The ransomware also offers victims the ability to become part of their “affiliate program” by helping infect other systems. Despite threats made by Chimera’s note, researchers determined that this ransomware does not have the capability of publishing victims’ files.

UPDATE 7/28/2016: A rival ransomware developer obtained and released approximately 3,500 decryption keys for Chimera which allowed security researchers to create a decryption tool.

  • Malwarebytes provides more information about Chimera, found here.
  • provides a free decryption tool for Chimera here and instructions are located here.

One example of the Chimera variant. Image Source: Trend Micro