New strain of Ransomware infected over 100,000 PCs in China


New strain of Ransomware infected over 100,000 PCs in China


Security experts reported a new strain of malware spreading in China, the malicious code rapidly infected over 100,000 PCs in just four days.

Unfortunately, the number of infections is rapidly increasing because hackers compromised a supply chain.

It is interesting to note that this ransomware requests victims to pay 110 yuan (nearly Euro 14) in ransom through WeChat Pay.

“On December 1, the first ransomware that demanded the “WeChat payment” ransom broke out in the country. According to the monitoring and evaluation of the “Colvet Threat Intelligence System”, as of the evening of the 4th, the virus infected at least 100,000 computers, not only locked the computer.” reads the analysis published by anti-virus firm Velvet Security

“The document also steals information on tens of thousands of user passwords on platforms such as Taobao and Alipay.” 

Victims are prompted to pay the ransomware to attackers’ WeChat account within 3 days to receive the decryption key. If the victim doesn’t pay the ransomware within a specific time, the malicious code will delete the decryption key from the C&C server.

The malicious code also implements password stealing abilities, the ransomware is able to steal users’ credential for popular Chinese services, including Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (, Taobao, Tmall , AliWangWang, and QQ websites.

The ransomware also collects information on the infected system, including CPU model, screen resolution, network information and list of installed software.

According to experts from Velvet Security, hackers compromised the supply chain of the “EasyLanguage” programming software used by a large number of application developers.

The tainted software is used by hackers to inject the malicious code into every software compiled through the programming software.

To avoid detection, author of the threat signed the code with a trusted digital certificate issued form from Tencent Technologies and avoid encrypting data in some specific directories, like “Tencent Games, League of Legends, tmp, rtl, and program.

The good news for the victims is that researchers were able to crack the ransomware; the experts discovered that the malware uses XOR cipher, instead of DES, to encrypt the file, it also stores a copy of the decryption key locally on the victim’s system in the following path:


Velvet experts released d a free ransomware decryption tool that could be used to decrypt documents encrypted by the malware.

Experts attributed the ransomware to a software programmer named “Luo,” they reported their discovery to the Chinese authorities.

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Next Post

M2M protocols can be abused to attack IoT and IIoT systems

Security experts from Trend Micro discovered that some machine-to-machine (M2M) protocols can be abused to attack IoT and industrial Internet of Things (IIoT) systems. According to a study conducted by experts from Trend Micro and the Polytechnic University of Milan. attackers abuse M2M protocols to target IoT and IIoT devices. The experts […]