Skip to main content

New Ransomware Spreading Rapidly in China Infected Over 100,000 Computers.

🆕🆕🆕🆕 NB: While all of you enjoy Reading Our Educative articles, Please, Help us by Donating any amount of Money to Help the Communities of AWUPI in Kijomoro Sub-County, Maracha District - Uganda, by Sending any amount of Money to Mr Stephen Esua, Telephone Number +256 784 179957.

Little amount of your Financial Contributions is Highly Appreciated.

This Charity is Aimed at raising Ugandan Shillings 62 million (17500$) which will be used to buy Chairs, Utensils, Tents and many  more items to Cater for Community Needs during Parties, Funerals and other Events.


Remember: Gifted Hands are those that Give.


Thanks.

🆕🆕🆕🆕.


NEW RANSOMWARE DISCOVERED.


A new piece of ransomware is spreading rapidly across China that has already infected more than 100,000 computers in the last four days as a result of a supply-chain attack... and the number of infected users is continuously increasing every hour.

What's Interesting? Unlike almost every ransomware malware, the new virus doesn't demand ransom payments in Bitcoin.

Instead, the attackers are asking victims to pay 110 yuan (nearly USD 16) in ransom through WeChat Pay—the payment feature offered by China's most popular messaging app.

ransomware malware wechat note

Ransomware + Password Stealer — Unlike WannaCry and NotPetya ransomware outbreaks that caused worldwide chaos last year, the new Chinese ransomware has been targeting only Chinese users.

It also includes an additional ability to steal users' account passwords for Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall , AliWangWang, and QQ websites.

A Supply Chain Attack — According to Chinese cybersecurity and anti-virus firm Velvet Security, attackers added malicious code into the "EasyLanguage" programming software used by a large number of application developers.

The maliciously modified programming software was designed to inject ransomware code into every application and software product compiled through it—another example of a software supply-chain attack to spread the virus rapidly.

chinese ransomware attack

More than 100,000 Chinese users who installed any of the above listed infected applications got their systems compromised. This ransomware encrypts all files on an infected system, except files with gif, exe, and tmp extensions.

Using Stolen Digital Signatures — To defend against Antivirus programs, attackers signed their malware code with a trusted digital signature from Tencent Technologies and avoid encrypting data in some specific directories, like "Tencent Games, League of Legends, tmp, rtl, and program."

Once encrypted, the ransomware pops-up a note, asking users to pay 110 yuan to attackers' WeChat account within 3 days to receive the decryption key.

tencent digital signature

If not paid within displayed time, the malware threatens to delete the decryption key from its remote command-and-control server automatically.

Besides encrypting user files, the ransomware also silently steals users login credential for popular Chinese websites and social media accounts and send them to a remote server.

It also gathers system information including CPU model, screen resolution, network information and list of installed software.

Poor Ransomware Has Been Cracked — Chinese cybersecurity researchers found that the ransomware has poorly been programmed and attackers lied about the encryption process.


The ransomware note says users’ files have been encrypted using DES encryption algorithm, but in reality, it encrypts data using a less secure XOR cipher and stores a copy of the decryption key locally on the victim's system itself in a folder at following location:

%user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg

Using this information, the Velvet security team created and released a free ransomware decryption tool that can easily unlock encrypted files for victims without requiring them to pay any ransom.

Researchers also managed to crack and access attackers' command-and-control and MySQL database servers, and found thousands of stolen credentials stored on them.

Who Is Behind This Ransomware Attack? — Using publicly available information, researchers have found a suspect, named “Luo,” who is a software programmer by profession and developed applications like "lsy resource assistant" and "LSY classic alarm v1.1"

malware hacker app

Lua's QQ account number, mobile number, Alipay ID and email IDs match with the information researchers collected by following the attacker’s WeChat account.

After being notified of the threat, WeChat has also suspended the attackers account on its service that was being used to receive the ransom payments.

Velvet researchers have also informed Chinese law enforcement agencies with all available information for further investigation.


PROUD LUGBARA OSUTA YUSUF, A CAREER POLITICIAN, BARRISTER, STUDENT FOR LIFE AND TALENTED IN TECHNOLOGY.


Comments

Post a Comment

Popular posts from this blog

Arrested Arua City Officials Taken to Kampala this Night.

Wednesday 8-November-2023. 📸: The arrest of Arua City Physical Planner Mr Findru Moses on 6-Nov-2023 at around 2pm. 📸: Mr Jobile Cornelius the City Deputy town clerk who was arrested on 7-Nov-2023 at around 4pm. 📸: Mrs Lillian Aleni (in red cloth) and Mr Edoni Benard being handcuffed by police officer on 6-Nov-2023 at around 6pm. The bail that was to be issued last night 8pm 7-Nov-2023 to release the arrested City Deputy town clerk Mr Jobile Cornelius and CFO Mr Sam Adriko over mismanagement of government properties and monies was canceled, and by this time of the night 11pm, highly placed sources leaked that, all the arrested suspects (Mr Findru Moses the Arua City Physical Planner, Mr Jobile Cornelius the Deputy City clerk, Mr Adriko Sam the CFO, Mr Edoni Benard the PDM BOG Chairperson for Pangisa ward and Mrs Lillian Aleni the parish chief for Pangisa ward) are being transported by State House Anti-corruption Unit officers who will soon be reac
Post a Comment
Read more

Wedded Ayivu West MP Lematia John Fights Over Another Woman.

  📸: Hon Lematia John. By URN. Police in Arua district are investigating a case of assault and threatening violence involving the Member of Parliament for Ayivu West Constituency John Lematia and James Ariko, a DSTV technician in Arua city. Drama ensued on Easter Sunday 31-3-2024 at Dream Land Hotel located at Kuluva trading center along Arua-Nebbi highway in Arua district when the legislator and the technician engaged in a fight reportedly over a woman identified as Faith Eyotaru 25, a relationship officer at Victoria University Kampala. The scuffle started after Ayivu West Mp John Lematia went to swim at Dreamland Hotel with Faith Eyotaru only to find Ariko, who had gone to the same hotel earlier. However, upon seeing the duo coming out of the vehicle, Ariko confronted Lematia with both men claiming to be having a relationship with the lady. It took the intervention of the staff at the hotel who intervened and separated the fight between the men. Josephine Angucia, the West Nile re
Post a Comment
Read more

41-Years-Old Man Digs His Own Grave in Maracha District.

Story by Osuta Yusuf.  Maracha District.  📸: The grave been dug by Mr Opiga Michael, a victim of frustration. Photo taken by Osuta Yusuf , on Wednesday 11-September-2024. The residents of Ebapi village, Baria Parish in Nyadri Sub-county, Maracha east constituency, Maracha District are in shock after a 41 year old man started digging his own grave. The man, identified as Mr Opiga Michael, who seems to be frustrated over some challenges in life, started digging his own grave on Tuesday 10-September-2024 until he was stopped by the elders in Nyaria clan. 📸: Opiga Michael, the Victim of Frustration. Photo by Osuta Yusuf , Information is Power. While speaking to our reporter on Wednesday evening 11-September-2024, Mr Opiga Michael, said, his main plan  was to commit suicide after finishing digging the grave for burying himself, explained that, he feels frustrated, abandoned and hated by his own clan people, whom he accused of piling lies against him and some even a
Post a Comment
Read more