China deemed as a prodigy of technological outbreaks encountered unprecedented number of major cyber threats in last few years. Since the extensive destructive days of WannaCry and NotPeyta last year, ransomware attacks appeared to have dwindled heaving a sigh of relief among security researchers.
A recent discovery of this distinctive cyber attack targeting China got the cyber security back to work. Unlike almost every ransomware malware that seek for ransom payments in Bitcoin, this ransomware virus demands for ransom through one of the country’s most popular payment methods. WeChat Pay, one of China’s most commonly used digital wallets, owned by Chinese tech giant Tencent, was used by attacker to receive payments.
This anonymous ransomware after infiltrating the system encrypts user’s files using a less secure XOR cipher. However, the ransom note claims to have used a more sophisticated DES encryption algorithm to mislead.
All the files are targeted in the infected system except for files with gif, exe, & tmp extensions.
Users are informed about the encryption via a ransom note that seeks for 110 yuan from the victim to regain access to the files. It asks users to make payment by scanning a WeChat QR code that appears in the pop- window.
The note threatens users to transfer the declared amount to attacker’s WeChat account within 3 days. Failing to do so may result in the deletion of the decryption key from the remote command and control server, as per the ransom note.
However, the victims should ignore such threats & never agree to pay in any case because their concerns are often disregarded, once the ransom is paid.
Apart from the regular ransomware behavior, it also steals victim’s passwords to popular sites like:
This ransomware is also designed to gather system information including CPU model, network information, screen revolution & a list of installed software.
“Easy Language”, a renowned programming software used by large number of application developers was targeted by threat actors. The malicious ransomware code was injected into this programming tool. This maliciously modified programming software was then leveraged to inject the ransomware code into every application & software product compiled through it.
This malicious program includes a valid signature in the script to evade detection by antivirus programs. It is designed to also avoid encrypting data in some specific directories to avoid being detected. These include:
Cyber security researchers reveled that the ransomware was poorly designed. This eased their task to develop a decrypting tool that could unlock the victim’s device without having to pay any ransom.
They also reveled that the ransomware was designed to store the copy of the decryption key locally on the victim’s system in the following path.
%user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg
Suspect has been found & his command- and-control & MySQL database servers have also been cracked where thousands of stolen credentials were found.
Hacker’s WeChat account has been suspended that was used to receive the ransom payments.
Hits: 118
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.