China Faced Wechat Ransomware Attack

New malware attack broke out in China that infected WeChat and users were asked to pay the ransom using “WeChat Pay” app.

China Faced Wechat Ransomware AttackWeChat Ransomware Security experts reported a new strain of malware spreading in China, the malicious code rapidly infected over 100,000 PCs in just four days.

The number of infections is still growing rapidly and in just four days, it already infected over 100,000 computers through vulnerabilities in supply chain.

The security experts at Velvet Security, anti-virus firm in china said in there reports:

“On December 1, the first ransomware that demanded the “WeChat payment” ransom broke out in the country. According to the monitoring and evaluation of the “Colvet Threat Intelligence System”, as of the evening of the 4th, the virus infected at least 100,000 computers, not only locked the computer.”

Ransomware Attack Aimed At

Normally, the authors of Ransomware demands a high ransom from the victims. But in this case the attacks demands to pay only 110 yuan or 16 USD or 14 Euro via payment app of WeChat.

China Wechat Ransomware Attack

The victims get a pop-up message about the ransomware attack demanding the ransom to be paid within the deadline of 3 days. If the victim fails to pay the said amount in 3 days then the decryption key will be deleted from the C&C server of the ransomware attackers.

“The document also steals information on tens of thousands of user passwords on platforms such as Taobao and Alipay.”

It appears like the ransomware authors not only have the motive to earn money through ransom. As it also drops malicious codes that has the ability to steal user information and passwords. The collected data is served to various popular firms like Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (, Taobao, Tmall , AliWangWang, and QQ websites.
The data collect includes:

  • User details,
  • Passwords,
  • Installed apps
  • System related info like CPU model, screen resolution, network information and so on.

According to Velvet Security, the attackers used a trusted digital certificate as their signing code to appear it to be legitimate. The attackers steal the code from the Tencent Technologies. However this avoid the encryption data in some specific directories and programs. They include Tencent Games, League of Legends, tmp and rtl. It also avoid disabling of few security tools and features of the infected computer systems.

A Bad programming techniques that were easy to crack

The security experts also also reported that the attackers exploited the vulnerability of the “EasyLanguage” programming software to inject their malicious code into the software deployed using this programming language.

Generally, software developers use “EasyLanguage” programming software to compile various applications.

But, fortunately, as the news of the ransomware attack broke out, the security experts started their research. And were able to crack the malicious code implemented by the Ransomware. They found that the encryption method used was XOR rather than DES (Data Encryption Standard). The XOR ciphers is less complicated and also stored a local copy within the victim’s computer system.

The path of the decryption key stored locally follows:


The authorities at Velvet Security, created a decryption tool for the ransomware attack. This tool can help the victims to decrypt their data without paying any ransom to the victims.

The analyst revealed the author of the ransomware attack “Luo” is a software programmer. Further researches are trying to gather more information about the programmer. And other details of any other malicious apps deployed by the same.

More From Unboxhow