New Ransomware strain Spotted in China Infected over 100,000 PCs in 4 days

Ransomware strain
  • Security researchers a new strain of ransomware across China which has already more than 100,000 PCs in 4 days.
  • The ransomware was spotted by security researchers at security firm Velvet Security.
  • The victims were asked to pay 110 yuan through WeChat Pay instead of Bitcoins.
  • Researchers have already released free decryption for victims to decrypt their files for free

Security researchers have spotted a new strain of ransomware targeting China and have already infected more than 100,000 PCs in 4 days.

The ransomware doesnt demand ransom payment in Bitcoin instead of that affected user are asked to pay 110 yuan through WeChat Pay.

Researchers from Chinese security firm Velvet Security discovered the ransomware and said ransomware has already infected more than 100,000 computers as of December 4.

“On December 1, the first ransomware that demanded the “WeChat payment” ransom broke out in the country. According to the monitoring and evaluation of the “Colvet Threat Intelligence System”, as of the evening of the 4th, the virus infected at least 100,000 computers, not only locked the computer.”

According to analysis, the attacker compromised the supply chain of the “EasyLanguage” programming software which is used by a large number of application developers.

The malicious software injects the malicious code into every software and application compile through it.

The attacker uses stolen digital signature to avoid antivirus detection by signing the malware code with the trusted certificate issued form from Tencent Technologies and also avoid encrypting data in some specific directories, like “Tencent Games, League of Legends, tmp, rtl, and program.

The infected users are asked to pay 110 yuan via WeChat pay within three days of infection otherwise the decryption key will be automatically deleted from the attackers C&C server.

The ransomware also steals login credentials of users social media accounts and other websites.

Information about the infected system such as the CPU model, Screen resolution, IP and its carrier information, Softwares installed are also collected and sent to attacker server.

Researchers were able to discover that the files were encrypted using XOR cipher instead of DES which is mentioned in the ransom note and also stores a copy of decryption key on the victim’s system.

%user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg

Researchers have also released a free decryption tool which can be used by infected users to decrypt their files for free.

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin and Twitter.

You may be interested in reading:Marriott Data Breach Exposed Personal Data of 500 million Guests

 

Comments

Please rate this content