Over 100,000 PCs infected with new ransomware strain in China

Ransomware authors might have shot themselves in the foot by handling payments via WeChat. Local law enforcement could track ransom payments.

Over 100,000 Chinese users have had their Windows PCs infected with a new strain of ransomware that encrypts their files and demands a 110 yuan (~$16) ransom.

The ransomware is exclusively targeting the Chinese internet space, and there's no threat to international users, at least yet.

This is because the person/group behind this threat are exclusively using Chinese-themed apps to distribute the ransomware via local sites and forums. Further, they are also requesting ransom payments via the WeChat payment service, only available in China and adjacent regions.

chinese-ransomware.png
Image: LeiPhone

According to multiple local news reports [1, 2, 3, 4], users have reported being infected with this ransomware after installing social media-themed apps, but mostly after installing an app named "Account Operation V3.1," an app for helping users manage multiple QQ accounts at the same time. A subsequent report claimed the ransomware author might have compromised an SDK named EasyLanguage, shared among all the reported applications, which injected the ransomware's malicious code inside other developers' apps.

Security experts who analyzed the infections said that besides encrypting files, the ransomware also included an information-stealing component that harvested login credentials for several Chinese online services, such as Alipay (digital wallet), Baidu Cloud (personal cloud file hosting), NetEase 163 (email service), Tencent QQ (instant messaging), and Taobao, Tmall, and Jingdong (online shopping platforms).

Formal complaints have been filed with local law enforcement, but it's unclear at this moment if authorities have identified the hacker or hacker group behind this sudden ransomware outbreak.

Unless the ransomware authors used fake or fraudulently-obtained IDs to create their WeChat payment handling profiles, most victims said they expected police to track the criminals down. It is widely known that Chinese authorities have the capabilities to track WeChat payments and identify the people behind suspicious operations.

This latest ransomware campaign is also not the first time Chinese-based ransomware authors have used WeChat as a ransom payment handling method. Those who made this fatal mistake in the past have been arrested by authorities within months, such as the case of a duo arrested in July, last year.

Chinese police, overall, have a good track record of arresting hackers within weeks or months after a particular malware campaign makes headlines. For example, they previously took only a month to track down and arrest the people behind the Fireball adware, four days to track down a hacker extorting local travel agencies, and less than a month to identify a hacker who was selling data of millions of hotel guests on the Dark Web.

As for the victims of this recent ransomware campaign, local Chinese cyber-security firms claim the ransomware can be decrypted without paying the ransom because the ransomware comes with the encryption/decryption key hardcoded in its source code. Some companies have started working on free decrypters, which they plan to make freely available in the coming days.

While ransomware campaigns have largely died down in most Western countries, they are still a common occurrence in China. A report by Velvet Threat Intelligence (火绒威胁情报系统), a Chinese cyber-security firm, claims that ransomware strains have encrypted more than two million computers in China in the first nine months of the year.

Article updated on December 5 with updated infection stats.

UPDATE on December 9: As expected, Chinese authorities have caught the person behind this ransomware, a 22-year-old from the Dongguan province.

Related ransomware coverage: