A new piece of ransomware has been spreading across China and has already infected over 100,000 computers. The virus has been spreading for the last 4 days and asks victims to pay 16 USD (110 yuan) through the Chinese messaging app, WeChat. This makes it unique compared to the usual ransomware that normally asks victims to pay in Bitcoin, which is known for being anonymous and untraceable.
It seems that the ransomware is specifically and only targeting Chinese users, rather than going after global targets. The virus also has the ability to steal password and account information for popular Chinese websites such as Alipay, Taobao, Tmall, Jingdong, Baidu Cloud Disk and more.
The malware has been injected into many applications that are then downloaded by victims. The virus is also armed with a trusted digital signature, allowing it to bypass Anti Virus Systems and present a pop up to the victim.
The popup asks the victim to pay the 110 yuan within three days in order to decrypt the message and regain control of the computer. While the malware is waiting for the decryption key provided by paying the money, it is silent stealing the passwords for popular Chinese social media accounts and sending them to a remote server.
The encryption of files on the user’s computer is not sophisticated, and Chinese security researchers have discovered the decryption key can be found on the victim’s system.
The Velvet security team have released a free ransomware decryption tool to help victims unlock their files and remain control of their system.
Security researchers believe someone named “Luo” is the culprit, based off available information, but the investigation is still ongoing.
WeChat has also suspended the attacker’s account.