Chimera Ransomware

Cyber criminals are using ransomware to target its victim and earn easy and fast money from them. Different types of ransomware are used by these cyber-criminals which work accordingly the way they were set-up and performs specific tasks and functions accordingly.  The recently used chimera ransomware which is comparatively newer than other ransomware and has been first seen affecting people in Germany since September. It is believed that it is named after the monstrous fire-breathing creature of Greek mythology.


Chimera Ransomware is distributed using the various method like sending false job invitations, business offers, attached with infected email attachments. Trend micro a Los-Angeles based security firm has uncovered new features of this malware, which spreads from the infected machine to distribute and infect more devices. After infecting the machine the ransomware completely encrypts the victim’s hard-drive and asks for some money as ransom from the victim, i.e. 2.4 bitcoins ($865) to decrypt the file, the attackers are also using the victim’s  private photos and videos to blackmail them and ask ransom from the victim.


How Chimera Ransomware works?

Chimera ransomware is spread through spear phishing technique where victims are sent an email attachment which is  infected and is linked with hosted malware server. For Eg: Let’s say an organization is asking people to send their resumes for the vacant post in their organization. The organization receives different job resumes with different attachments among which one of the mail is attached with malware, and as soon as someone downloads the file computer will get infected with the malware and will restart the computer and after it boots up the ransomware will post a desktop wallpaper with message that it has been infected and now will have to pay the ransom.


How to be safe from Chimera Ransomware?

Users should not click or download the file which are linked with other hosted sites even it looks like from a reliable source. Your system must be fully patched and all your clean data should be backup-ed  on at least two different places with different file formats.


How to remove Chimera Ransomware?

Chimera ransomware can be removed from the infected devices, but all the files may not work as it used to after removal of the ransomware. To remove this ransomware PCrisk has mentioned some process to be followed which is listed below.

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process press the F8 key on your keyboard multiple times until you see the Windows Advanced Options menu, then select Safe Mode with Networking from the list.



Video showing how to start Windows 7 in “Safe Mode with Networking”

Windows 8 users: Start Windows 8 in Safe Mode with Networking – Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened “General PC Settings” window select Advanced startup. Click “Restart now” button. Your computer will now restart into “Advanced Startup options menu”. Click the “Troubleshoot” button, then click the “Advanced options” button. In the advanced options screen click on “Startup settings”. Click the “Restart” button. Your PC will restart into Startup Settings screen. Press F5 to boot in Safe Mode with Networking.


Step 2

Log in to the infected account with the Chimera ransomware. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using “Safe Mode with Command Prompt” and “System Restore”:

  • During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.


  • When Command Prompt mode loads, enter the following line: cd restore and press ENTER.


  • Next, type this line: rstrui.exe and press ENTER.


  • In the opened window click “Next”.


  • Select one of the available Restore Points and click “Next” (this will restore your computer system to an earlier time and date, prior to the Chimera ransomware virus infiltrating your PC).


  • In the opened window, click “Yes”.


To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Chimera are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click on it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the “Restore” button.


If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of files encrypted by Chimera, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.


To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and EasySync CryptoMonitor, which artificially implant group policy objects into the registry to block rogue programs such as Chimera.)

HitmanPro.Alert CryptoGuard – detects encryption of files and neutralises such attempts without need for user intervention:


EasySync CryptoMonitor – kills an encryption infection and blacklists it from running again:


Other tools available tool remove Chimera ransomware:

Malwarebytes Anti-Malware


Manish Dangol

Leave a Reply

Your email address will not be published. Required fields are marked *