New Ransomware Infects Over 100,000 PCs in China in Just 4 Days

By Riley ThompsonTechnology News

New Ransomware Infects Over 100,000 PCs in China in Just 4 Days

A new type of ransomware is rapidly spreading across China, having infected more than 100,000 computers in just four days. The number of victims continues to grow. Unlike most ransomware, this new malware demands payment not in Bitcoin, but in Chinese yuan (110 yuan, about $16), which victims are instructed to pay via the WeChat Pay service.

How the Ransomware Works

The malware, named WeChat Payment, specifically targets users in China. In addition to encrypting files, it can also steal passwords for accounts on popular Chinese websites and social networks, including Alipay, NetEase 163, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall, AliWangWang, and QQ. It also collects information about the infected system, such as the processor model, screen resolution, and installed programs.

Infection Method

According to experts at Velvet Security, the attackers embedded the malicious code into the “EasyLanguage” compiler, which is widely used by application developers. The infected version of the compiler inserted the ransomware code into every application compiled with it.

Technical Details

Once on a system, the ransomware encrypts all files except those with the extensions .gif, .exe, and .tmp. To evade antivirus detection, the malware authors signed it with a digital certificate from Tencent Technologies. Additionally, to avoid detection, the ransomware ignores folders such as Tencent Games, League of Legends, tmp, rtl, and Program.

Ransom Demand and Decryption

Victims are given three days to pay the ransom. If payment is not made, the attackers threaten to delete the decryption key from their server. However, it was discovered that users can decrypt their files themselves, as a copy of the decryption key is stored locally on the victim’s computer.

Investigation and Response

Security experts managed to access the attackers’ command server and MySQL database, where they found thousands of account credentials. All collected information has been handed over to Chinese law enforcement for further investigation.

Leave a Reply