A New Ransomware Strain in China infects nearly 20,000 Windows PCs

• A new ransomware strain infected almost 20,000 Chinese users.
• The individual/group behind the attack was found using exclusively Chinese-based applications to spread the ransomware.

A new unnamed ransomware strain was recently discovered having infected around 20,000 systems in China. The hacker(s) behind the attack demanded 110 yuan ($16) as ransom, instructing victims to pay via the WeChat payment service, available only in China and neighboring regions.

The attacker(s) have been exclusively using Chinese-based apps to distribute the ransomware, specifically to Windows users. Experts believe the new ransomware targeted mainly Chinese users and that at present, there is no threat to international users.

Multiple Chinese media outlets reported that users’ PCs were infected with the ransomware after installing several social-media themed Chinese apps, in particular, an application named ‘Account Operation v3.1’. This app is used for managing multiple QQ accounts at the same time.

The security analysts and experts who analyzed the application reported that the ransomware is not only encrypting files but also including an information-stealing component that harvests login credentials for several Chinese online services.

Some of the data-stealer’s functionalities include:

• An Email service - NetEase 163.
• An Instant messaging service - Tencent QQ.
• Targeting online shopping services - Tmall, Taobao, and Jingdong.
• Targeting the digital wallet service, Alipay.
• Targeting the personal cloud file hosting service, Baidu Cloud.

Complaints filed with Law Enforcement Officials

Formal complaints have been filed with the local law enforcement authorities. However it is still unclear whether the authorities have tracked the hacker(s) behind the ransomware attack.

What do the victims have to say?

• Most victims said that they trust law enforcement officials to track down the criminals operating the ransomware. This may be easier said than done, as the hacker(s) could have used fake Ids to create a WeChat account.
• Chinese police have arrested hackers within weeks or months in the past. In one such case, Chinese police arrested two hackers who distributed a WannaCry look alike SLocker Android ransomware within 5 days after the security experts detected first infections.

Other recent ransomware attacks

Bleeping computer reported that Chinese officials arrested 14 employees of Rafotech, a Chinese digital marketing company as authors of the Fireball adware. In yet another case, Chinese authorities arrested a hacker who breached the servers of 2 Hong Kong travel agencies, stole their data, and demanded a bitcoin ransom Bleeping computer reported.

Local Chinese security experts claimed that the ransomware can be decrypted without paying the ransom, and that some local companies have already started working on free decryptors, which they plan to make publicly available soon.