WeChat ransomware attack: over 100 000 computer infections in four days

China infected by WeChat ransomware that demands to pay the ransom via WeChat Pay app

WeChat ransomware infected over 100K devices all over China in only 4 days of activity.

WeChat ransomware is the latest threat spreading across China. Experts are warning that it has already affected more than 100 000 computers since December 1st. According to the report of Velvet Security, a Chinese cybersecurity company, the attack differs from other similar large-scale ransomware attempts because of the ransom demand.^[1] Typically, malware developers ask a hefty amount in Bitcoin, but this time attackers are urging to pay 16 USD or 110 yuan using WeChat Pay feature.

The malware targets only China users and includes the additional ability to steal users' account passwords from various services like Alipay, NetEase, Baidu Cloud Disk, Jingdong, Taobao, Tmall, QQ, and AliWangWang websites. As reported, the attackers also added a malicious script into the “EasyLanguage” programming software that most of the developers use when they create their applications. Such altered software is designed to spread direct ransomware code into every application and product.

The so-called WeChat ransomware has already affected around 100K PCs. The ransomware virus encrypts^[2] all data found on the infected system with the exclusion of .gif and .exe, and .tmp extensions.

Technical details of the WeChat ransomware

When targeted data gets encrypted, ransomware displays a pop-up note that demands 110 yuan. The payment is asked to be made to hackers' WeChat account in three days. Otherwise, the decryption key cannot be received. Cybercriminals who are responsible for this threat are stating that the decryption key gets automatically deleted from the server if the ransom is not paid in time.^[3]

The Velvet Security report also has revealed that the crooks managed to sign their malware code with a digital signature stolen from Tencent Technologies. This step allows avoiding data encryption in specific directories or programs and disables some of the security tools or system's features.

Additionally to the files' encryption, this virus collects information, including login credentials of popular websites and social media platform accounts. This data is collected and stored on a remote server that belongs to the attackers. One of these applications is Alipay which is commonly used in China. There is no surprise why this malicious activity has raised so much frustration among users in China.^[4]

A poorly programmed ransomware is already cracked

According to researches and based on the functionality and the ransom demand, WeChat ransomware appears to be a notorious virus. However, cybersecurity researchers and experts have found vulnerabilities and issues in the coding.

It seems that hackers lied about the encryption process in the first place. Although the ransom message states about the DES encryption method, a less secure XOR algorithm^[5] is the functionality used in the file-encoding procedure.^[6] Another lie is the decryption key because it is stored on the users' system in a newly created %user%\\AppData\\Roaming\\unname_1989\\dataFile\\appCfg.cfg folder, not the remote server.

With the help of all this information, experts from Velvet Security have already created a tool for helping victims in data recovery operations. As you can see, you do not need to pay the ransom to get your files back. Also, these vulnerabilities in coding allowed researchers to crack the C&C server access to databases where various credentials were stored after being stolen from victims'.

Finally, experts revealed sensitive information about the creator “Luo”. The programmer's account, phone number, and identification details for various apps have been transferred to law enforcement agencies and Chinese services that will use these details for further investigation of the issue.