CHIP Ransomware

The CHIP Ransomware is a ransomware Trojan that is being distributed using the RIG Exploit Kit, also known as the Empire Exploit Kit. It is a new addition to this exploit kit's arsenal. The CHIP Ransomware itself is not particularly unique and is clearly derived from various other ransomware Trojans that have been active in the last year.

How the CHIP Ransomware may be Installed on a Victim’s Computer

Most ransomware similar to the CHIP Ransomware is being distributed using corrupted spam email campaigns, making the CHIP Ransomware attack particularly threatening. The CHIP Ransomware is injected into the victim's computer by an exploit kit that takes advantage of vulnerabilities in the victim's applications and operating system. Exploit kits can be used to distribute a wide variety of threats. The Empire or RIG Exploit Kit had already been active for some time. In this case, the RIG Exploit Kit has been used to distribute the CHIP Ransomware, injecting it into the victim's computers.

When the CHIP Ransomware infects a computer, it will download a unique RSA-512 encryption key from the CHIP Ransomware's Command and Control servers. This key is used to encrypt the AES encryption key that was used to encrypt the victim's files. This two-step encryption procedure is typical of these encryption ransomware Trojans and is part of the reason why they can be so difficult to deal with. The CHIP Ransomware is designed to encrypt the victim's files, adding the extension '.CHIP' to each file that has been encrypted. This is also typical of these types of attacks.

How the CHIP Ransomware Attack Works

The CHIP Ransomware attack is typical of ransomware Trojans. Essentially, the CHIP Ransomware extorts the victim by taking the victim's files hostage, encrypting them so that they are no longer accessible. The CHIP Ransomware will then demand the payment of a ransom after dropping a text file named 'CHIP_FILES.txt,' which alerts the victim of the attack and instructs the victim on how to pay the ransom. Victims of the CHIP Ransomware are asked to pay through TOR to remain anonymous, and are asked to leave an ID number and a message. It is not known how much money the CHIP Ransomware demands to restore the victim's files currently. Unfortunately, due to the strength of the encryption method that is being used, it is very unlikely that computer users will be able to recover from a CHIP Ransomware attack without the decryption key. Because of this, prevention is essential in dealing with the CHIP Ransomware and other ransomware Trojans.

Further Details Associated with the CHIP Ransomware and the RIG-E Exploit Kit

There are several versions of the RIG Exploit Kit. The CHIP Ransomware is associated with the 'Empire' version of this threat. This exploit kit is known for using a strong obfuscation method to prevent computer security specialists from studying its attack in details. This exploit kit will change its payloads regularly, with the CHIP Ransomware payload being used in November of 2016. It is likely that this payload will be switched out for a different type of attack in variants of this exploit kit.

Preventing the CHIP Ransomware Attacks

The best way to deal with the CHIP Ransomware is to prevent the attacks by having backups of all files. PC security researchers strongly advise computer users to backup their files regularly. Threats like the CHIP Ransomware will target all local drives, shared drives, and removable memory devices on the infected computer. If there are backups of the encrypted files, then computer users can recover quickly by replacing the infected files with the backups after the CHIP Ransomware infection itself has been removed. If no backups exist, then it may not be possible to decrypt the files encrypted by the CHIP Ransomware.