CHIP targets Windows OS and is distributed via the RIG-E exploit kit on compromised websites. Once a system is infected, CHIP downloads a unique RSA-512 encryption key from its C2 servers. This key is used to encrypt the AES encryption key that CHIP uses to encrypt the victim’s files. It appends .chip to the end of encrypted file names and drops a ransom note named CHIP_FILES.txt on the system. Because of the methods of encryption used, security researchers do not believe that a few decryption tool could be made for this variant. The ransom demand is currently unknown.

UPDATE 12/10/2016: A new version appends .dale to encrypted files and drops a ransom note named DALE_FILES.txt.

  • Bleeping Computer provides more information about CHIP here.
  • Malware-Traffic-Analysis.Net provides CHIP IoCs and malware samples, here.
  • The NJCCIC is not aware of any decryption tools available for CHIP.