05 Dec 2018

A new strain of ransomware is spreading swiftly across China which had already affected around 100,000 computers in the last four days due to a supply-chain attack. The count is continuously increasing at every hour.

Like the normal ransomware, this new malware doesn’t demand ransom payments in Bitcoin. Instead, the attackers want the payments to be made in 110 yuan (approximately USD 16) as ransom through WeChat Pay which is the payment feature of China’s most popular messaging app.

Ransomware + Password Stealer

The new Chinese ransomware are targeting only Chinese users. Besides, this ransomware has the capability to steal users’ account passwords for Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall , AliWangWang, and QQ websites.

Supply Chain Attack

Velvet Security which is a cyber security and anti-virus firm based in china states that the hackers included malicious code into the “EasyLanguage” programming software used by a large number of application developers.

The modified programming software was able to insert ransomware code into all application and software products compiled through it. This is a type of software supply-chain attack to spread the virus rapidly.

The compromised systems had any of the infected software installed in it. This ransomware encrypts all files on an infected system, except files with gif, exe, and tmp extensions.

Using Stolen Digital Signatures

In order to protect against Antivirus programs, hackers signed their malware code with a trusted digital signature from Tencent Technologies and avoid encrypting data in some specific directories, like “Tencent Games, League of Legends, tmp, rtl, and program.”

After encryption, the ransomware produces a pop-up note urging the users to pay 110 yuan to attackers’ WeChat account within 3 days to get the decryption key. When the ransom is not paid within the deadline, the malware intimidates to delete the decryption key from its remote command-and-control server automatically.

The ransomware together with encrypting the files, also steals user’s login credential for popular Chinese websites and social media accounts and send them to a remote server. System information including CPU model, screen resolution, network information and list of installed software are also stolen.

Ransomware Has Been Cracked

The cyber security researchers discovered that the ransomware was not programmed properly and the attackers lied about the encryption process. According to the ransomware note, the users’ files have been encrypted using DES encryption algorithm, but the fact is that it encrypts data using a less secure XOR cipher and stores a copy of the decryption key locally on the victim’s system itself in a folder at following location:

%user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg

By making use of this information, the Velvet security team produced a free ransomware decryption tool and was released which was able to unlock encrypted files for victims without them having to pay any ransom.

The researchers were also able to crack and access attackers’ command-and-control and MySQL database servers, and found thousands of stolen credentials stored on them.

Researchers have found a suspect, named “Luo,” who is believed to be behind the attack. He is a software programmer and have developed applications like “lsy resource assistant” and “LSY classic alarm v1.1”, Luo’s QQ account number, mobile number, Alipay ID and email IDs match with the information researchers collected by following the attacker’s WeChat account.

After the threat was notified, WeChat had suspended the attackers account which was used to receive the ransom payments.

Technical Writer,  Blogger,

Leave your thought

This site uses Akismet to reduce spam. Learn how your comment data is processed.