Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New strain of Ransomware infected over 100,000 PCs in China

Security experts reported a new strain of malware spreading in China, the malicious code rapidly infected over 100,000 PCs in just four days. Unfortunately, the number of infections is rapidly increasing because hackers compromised a supply chain. It is interesting to note that this ransomware requests victims to pay 110 yuan (nearly Euro 14) in ransom […]

china ransomware note

Security experts reported a new strain of malware spreading in China, the malicious code rapidly infected over 100,000 PCs in just four days.

Unfortunately, the number of infections is rapidly increasing because hackers compromised a supply chain.

It is interesting to note that this ransomware requests victims to pay 110 yuan (nearly Euro 14) in ransom through WeChat Pay.

“On December 1, the first ransomware that demanded the “WeChat payment” ransom broke out in the country. According to the monitoring and evaluation of the “Colvet Threat Intelligence System”, as of the evening of the 4th, the virus infected at least 100,000 computers, not only locked the computer.” reads the analysis published by anti-virus firm Velvet Security

“The document also steals information on tens of thousands of user passwords on platforms such as Taobao and Alipay.” 

Victims are prompted to pay the ransomware to attackers’ WeChat account within 3 days to receive the decryption key. If the victim doesn’t pay the ransomware within a specific time, the malicious code will delete the decryption key from the C&C server.

The malicious code also implements password stealing abilities, the ransomware is able to steal users’ credential for popular Chinese services, including Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall , AliWangWang, and QQ websites.

The ransomware also collects information on the infected system, including CPU model, screen resolution, network information and list of installed software.

According to experts from Velvet Security, hackers compromised the supply chain of the “EasyLanguage” programming software used by a large number of application developers.

The tainted software is used by hackers to inject the malicious code into every software compiled through the programming software.

To avoid detection, author of the threat signed the code with a trusted digital certificate issued form from Tencent Technologies and avoid encrypting data in some specific directories, like “Tencent Games, League of Legends, tmp, rtl, and program.

The good news for the victims is that researchers were able to crack the ransomware; the experts discovered that the malware uses XOR cipher, instead of DES, to encrypt the file, it also stores a copy of the decryption key locally on the victim’s system in the following path:

%user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg

Velvet experts released d a free ransomware decryption tool that could be used to decrypt documents encrypted by the malware.

Experts attributed the ransomware to a software programmer named “Luo,” they reported their discovery to the Chinese authorities.

ransomware author
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – cybercrime, China)

[adrotate banner=”5″]

[adrotate banner=”13″]