China deemed as a prodigy of technological outbreaks encountered unprecedented number of major cyber threats in last few years. Since the extensive destructive days of WannaCry and NotPeyta last year, ransomware attacks appeared to have dwindled heaving a sigh of relief among security researchers.

A recent discovery of this distinctive cyber attack targeting China got the cyber security back to work. Unlike almost every ransomware malware that seek for ransom payments in Bitcoin, this ransomware virus demands for ransom through one of the country’s most popular payment methods.  WeChat Pay, one of China’s most commonly used digital wallets, owned by Chinese tech giant Tencent, was used by attacker to receive payments.

Threat Behavior

This anonymous ransomware after infiltrating the system encrypts user’s files using a less secure XOR cipher. However, the ransom note claims to have used a more sophisticated DES encryption algorithm to mislead.

All the files are targeted in the infected system except for files with gif, exe, & tmp extensions.

Users are informed about the encryption via a ransom note that seeks for 110 yuan from the victim to regain access to the files. It asks users to make payment by scanning a WeChat QR code that appears in the pop- window.

The note threatens users to transfer the declared amount to attacker’s WeChat account within 3 days. Failing to do so may result in the deletion of the decryption key from the remote command and control server, as per the ransom note.

However, the victims should ignore such threats & never agree to pay in any case because their concerns are often disregarded, once the ransom is paid.

Other important characteristics of this unchristened Ransomware

Apart from the regular ransomware behavior, it also steals victim’s passwords to popular sites like:

1. Shopping platforms– Taobao, Tmall and JD.com
2. Digital wallet- Alipay,
3. Cloud Storage Service- Baidu Cloud
4. Email Service: Internet company NetEase’s 163email service
5. Tencent’s instant messaging platform QQ.

This ransomware is also designed to gather system information including CPU model, network information, screen revolution & a list of installed software.

Ransomware Designing

“Easy Language”, a renowned programming software used by large number of application developers was targeted by threat actors. The malicious ransomware code was injected into this programming tool. This maliciously modified programming software was then leveraged to inject the ransomware code into every application & software product compiled through it.

This malicious program includes a valid signature in the script to evade detection by antivirus programs. It is designed to also avoid encrypting data in some specific directories to avoid being detected. These include:

• Tencent Games,
• League of Legends,
• tmp,
• rtl,
• and some other programs

Substandard Ransomware has been cracked

Cyber security researchers reveled that the ransomware was poorly designed. This eased their task to develop a decrypting tool that could unlock the victim’s device without having to pay any ransom.

They also reveled that the ransomware was designed to store the copy of the decryption key locally on the victim’s system in the following path.

%user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg

Suspect has been found & his command- and-control & MySQL database servers have also been cracked where thousands of stolen credentials were found.

Hacker’s WeChat account has been suspended that was used to receive the ransom payments.

Hits: 106