New Ransomware Strain in China Infects Over 20,000 PCs

A new ransomware strain has infected and disrupted the functioning of more than 20,000 PCs in China, as per reports.

ZDNet reports, “Over 20,000 Chinese users have had their Windows PCs infected with a new strain of ransomware that encrypts their files and demands a 110 yuan (~$16) ransom.”

Some reports even put the figure of infected systems at 100,000 in just four days, stating that the number is continuously increasing every hour.

As of now, this ransomware attack is limited to China. Experts analyzing the incident say that there is at present no threat to international users since it’s Chinese-themed apps that are distributing the ransomware. The hackers are using local websites and forums to spread the ransomware, and the ransom payments they are demanding are requested through the WeChat payment service, which is available only in China and adjacent regions.

The ZDNet report, dated December 4, 2018, explains that as per multiple local reports, “…users have reported being infected with this ransomware after installing several social media-themed apps, but mostly after installing an app named “Account Operation V3.1,” an app for helping users manage multiple QQ accounts at the same time.”

Security analysts have been analyzing the attacks; they have inferred that the hackers are using the ransomware not just to encrypt files and demand ransom, but to steal sensitive data as well. The ransomware has an information-stealing component which the hackers used to harvest login credentials for many Chinese online services. These included the digital wallet service Alipay, the personal cloud file hosting service Baidu Cloud, NetEase’s email service 163.com, instant messaging software service Tencent QQ and some online shopping platforms like Taobao, Tmall, and Jingdong.

Though formal complaints have been filed with the local law enforcement, nothing is known as of now regarding the identity of the hacker or group of hackers who have orchestrated these attacks.

In his report, Catalin Cimpanu, security reporter, ZDNet says, “Unless the ransomware authors used fake or fraudulently-obtained IDs to create their WeChat payment handling profiles, most victims said they expected police to track the criminals down. It is widely known that Chinese authorities have the capabilities to track WeChat payments and identify the people behind suspicious operations.”

The experienced security analyst that he is, Catalin Cimpanu is right in his observation. There have been earlier instances in which such cybercriminals were apprehended. The ZDNet reporter himself explains this- “This latest ransomware campaign is also not the first time Chinese-based ransomware authors have used WeChat as a ransom payment handling method. Those who made this fatal mistake in the past have been arrested by authorities within months, such as the case of a duo arrested in July, last year.”

He observes that the Chinese cops have already proved themselves as efficient in tracking down and arresting hackers, that too within weeks or months of an incident. The example he cites is of the Fireball adware incident, in which the Chinese police tracked down and arrested the hackers in just a month’s time. He also mentions other incidents, like for example the arrest of a hacker who targeted local travel agencies in just four days and the speedy tracking down of the hacker who sold data of millions of hotel guests on the Dark Web.

Local cybersecurity firms, according to reports, have clarified that the victims needn’t pay ransom money to the hackers. They claim that the ransomware issue can be resolved without having to pay the money, especially since it has been poorly programmed. The victims can get back their files and data by using some free decryptors, which the

security firms are getting ready and which would be available soon, as per reports.

Reports even point out that ransomware attacks are becoming quite common these days targeting the Chinese internet space, despite cops being able to track down and apprehend many of the hackers.