Also known as CHIP Ransomware, malware researchers have estimated that this virus has already begun causing successful infections. It uses an RSA encryption algorithm which develops a unique decryption key for each file the CHIP ransomware encrypts. After doing so, the virus leaves a “CHIP_FILES.TXT” with instructions to open a web page and contact the cyber criminals as the picture on the right displays. This ransomware virus uses the RIG-E also known as Empire Pack exploit kit to cause a successful infection, which means that a lot may have been invested in it. In case you have been infected by this ransomware, we advise you to immediately backup the .chip encrypted files on an external drive and read this article for more information on how to remove the malware and try to restore the encrypted files.
|Short Description||The malware encrypts users files with a stron RSA encryption algorithm and releases a unique decryption key for each encrypted file. Users are asked to contact the crooks on a Tor-based web page.|
|Symptoms||The user may witness ransom notes and “instructions”, named “CHIP_FILES.TXT”. Files are added the .CHIP file extension and are no longer openable.|
|Detection Tool|| See If Your System Has Been Affected by CHIP |
Malware Removal Tool
|User Experience||Join our forum to Discuss CHIP.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
CHIP Ransomware Distributed via RIG-E Exploit Kit
In order to infect users, this specific threat uses a very sophisticated and expensive method to cause an infection, the RIG-E exploit kit, also known as Empire Pack. This new exploit kit guarantees a higher infection rate at the moment of writing this and this is what concerns malware researchers.
The virus file that utilizes the exploit kit may be of different executable file types containing malicious scripts. Researchers at MalwareTraffic Analysis have concluded that CHIP also utilizes a script that connects to a malicious URL and downloads the payload of the virus. It is widely believed that the script is activated from a compromised website which causes the malicious redirect and downloads the payload of the CHIP ransomware. The e-mails that are spammed, may contain URL’s of such type posing as a legitimate e-mail from a service, like the below fake PayPal e-mail, for example:
However, the e-mails may also contain .js or .wsf as well as .hta or .html malicious attachments as well and pose as an important e-mail with a receipt or an invoice in it to convince users to open the attachment.
Whatever the case may be, once the malicious web link is opened, it connects via a script to another web link containing the exploit kit, and downloads the following malicious RIG files as a payload:
- A .txt file which is an artifact.
- A flash-exploit in a .swf file format.
- A landing page in a text file.
- The payload of chip ransomware in an .exe type of file.
- The “CHIP_FILES.txt” readme file of CHIP ransomware.
- A .txt file which has an injected script, most likely created for research purposes.
The payload of CHIP ransomware may have multiple file extension and contain different name. Malware researchers report it to be located in the %AppData% folder under a strange name:
CHIP Ransoware – Post-Infection Analysis
After an infection with CHIP ransomware has been conducted, the malware begins to encrypt user files, using the Rivest Shamir Adleman or RSA encryption algorithm. For those uninformed, this cipher alters the core structure of the file, changing blocks of it’s data with replaced symbols from the cipher. The sheer number of those symbols depends on how strong the encryption is.
The CHIP ransomware attacks video files, audio files, databases, virtual drives, Microsoft Office documents, Adobe .PDF files and after encryption, the encoded files appear like the following:
CHIP ransomware, like any other ransomware virus, adds it’s instructions as well. They are added in a “CHIP_FILES.txt” object with the following contents:
“YOUR ID: (Personal ID)
All Your files are encrypted!
For more specific instructions, please visit a support home page:
To see this page follow these steps:
1 – Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 – After a successful installation, run the browser
3 – Type in the address bar – http://mm6x57ri2coivya6.onion
4 – Follow the instructions on the site
Attention: DO NOT USE ANY PUBLIC DECRYPTERS! YOU CAN DAMAGE YOUR FILES!
YOUR ID: (Personal ID)”
After going to the web page, the user sees a anther note with a platform asking users to write a message to the cyber-criminals:
Your files are encrypted!
If You want to restore Your system, You need to use a contact form below.
Leave Your ID number (ID number is located in the “CHIP_FILES.TXT”) and contact email.
Our appointment coordinators will contact you within 24 hours!
Attention: DO NOT USE ANY PUBLIC DECRYPTERS! YOU CAN DAMAGE YOUR FILES!”
If you write a message, leaving your e-mail address and the ID, the page will respond with the following message:
“Thank you for co1ntacting us. We have received your message and will respond as soon as possible!”
How to Remove CHIP Ransomware and Get Your Files Back
The conclusion for this ransomware is that it is no joke, because it uses an algorithm that is very difficult to break, unless you have the researching skills and luck to reverse engineer it. This is what malware researchers will most likely do in the future, however it may not be soon. Whatever the case may be, we advise you to backup the encrypted files(instructions can be found below for cloud backup) and under no circumstance pay any form of ransom fee requested by the cyber criminals.
To remove CHIP, if you have experience in removing malware, make sure to wisely use the information in this article and hence take care of this virus. In case you lack the experience we advise you to download an advanced anti-malware program that will make sure you will automatically remove every single file and registry object of the Rig-E and CHIP ransomware on your computer.
After having removed CHIP and backed up the encrypted files, now, your option is to try and use our alternative methods suggested in step “2. Restore files encrypted by CHIP” below. They are not 100% effective, so make sure to be careful while attempting them. They are a good temporary solution until the professional malware analysts discover decryption solution for free and when this happens we will make sure to update this web page with link to the solution.