Over 100,000 Windows PC users in China had their PCs infected by New Ransomware Strain

Over 100,000 Windows PC users in China have had their PCs infected by a new ransomware strain that encrypts their files. The ransomware does not demand bitcoin as ransom payment; instead it asked the infected users to pay ransom of 110 yuan (~$16) through WeChat payment service. It also asked for the ransom within 3 days of infection, else the decryption key would get deleted automatically from attackers C&C server.

As per several local news reports, the users have reported getting infected with the ransomware after they installed the social media-themed applications (apps), but mainly after installing the "Account Operation V3.1" app - a Chinese app which help the users to manage several QQ accounts (a famous instant messaging service of China) on the same time. As per the analysis, the attacker has compromised supply chain of "EasyLanguage" programming software that is getting used by many application developers. Then the malicious software injects malicious code in every software as well as application that has been compiled through it.

For avoiding the antivirus detection, the attacker uses the stolen digital signature by signing malware code with trusted certificate issued form by the Tencent Technologies.

The security experts analyzing the infections said that apart from encrypting files, the ransomware also have an information-stealing component which harvested the login credentials for numerous Chinese online services, like Alipay (i.e. a digital wallet), NetEase 163 (i.e. an email service), Tencent QQ (i.e. an instant messaging), Baidu Cloud (i.e. a personal cloud file hosting), and Jingdong, Tmall, and Taobao (online shopping platforms).

Police from Guangdong province of China have arrested a man surnamed Luo, aged 22, who is allegedly held responsible for creating China's first ransomware which requires payment via WeChat payment service. Law enforcement from Southern city of Dongguan announced on Weibo, i.e. a microblogging platform, on December 6, adding that suspect from province's Maoming city has been arrested on December 5.

For victims of this latest ransomware campaign, the researchers have been able to found that files were not encrypted using DES as mentioned in ransom note but were encrypted using the XOR cipher, and the files also stores decryption key copy on victim's system. Besides the researchers also released the free decryption tool, which the infected users can use for decrypting their files without paying any ransom.

» SPAMfighter News - 12/20/2018