Security experts reported a new strain of malware spreading in China, the malicious code rapidly infected over 100,000 PCs in just four days.
Unfortunately, the number of infections is rapidly increasing because hackers compromised a supply chain.
It is interesting to note that this ransomware requests victims to pay 110 yuan (nearly Euro 14) in ransom through WeChat Pay.
“On December 1, the first ransomware that demanded the “WeChat payment” ransom broke out in the country. According to the monitoring and evaluation of the “Colvet Threat Intelligence System”, as of the evening of the 4th, the virus infected at least 100,000 computers, not only locked the computer.” reads the analysis published by anti-virus firm Velvet Security
“The document also steals information on tens of thousands of user passwords on platforms such as Taobao and Alipay.”
Victims are prompted to pay the ransomware to attackers’ WeChat account within 3 days to receive the decryption key. If the victim doesn’t pay the ransomware within a specific time, the malicious code will delete the decryption key from the C&C server.
The malicious code also implements password stealing abilities, the ransomware is able to steal users’ credential for popular Chinese services, including Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall , AliWangWang, and QQ websites.
The ransomware also collects information on the infected system, including CPU model, screen resolution, network information and list of installed software.
According to experts from Velvet Security, hackers compromised the supply chain of the “EasyLanguage” programming software used by a large number of application developers.
The tainted software is used by hackers to inject the malicious code into every software compiled through the programming software.
To avoid detection, author of the threat signed the code with a trusted digital certificate issued form from Tencent Technologies and avoid encrypting data in some specific directories, like “Tencent Games, League of Legends, tmp, rtl, and program.
The good news for the victims is that researchers were able to crack the ransomware; the experts discovered that the malware uses XOR cipher, instead of DES, to encrypt the file, it also stores a copy of the decryption key locally on the victim’s system in the following path:
%user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg
Velvet experts released d a free ransomware decryption tool that could be used to decrypt documents encrypted by the malware.
Experts attributed the ransomware to a software programmer named “Luo,” they reported their discovery to the Chinese authorities.