New extortionist infected more than 100 thousand PCs in China in just 4 days
In addition to encrypting files, the malware is able to steal passwords to accounts in various services.
Across China, a new type of extortionate software is rapidly spreading, in just four days, it managed to infect more than 100 thousand computers, and the number of victims is constantly growing. Unlike other cryptographers, the new malware requires a ransom not in bitcoins, but in yuan (110 yuan, about $ 16), which the victim must transfer through the WeChat Pay payment service.
The malware, called WeChat Payment, attacks only users in the Middle Kingdom. In addition to encrypting files, it is also capable of stealing account passwords on popular Chinese websites and social networks, including Alipay, NetEase 163, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall, AliWangWang and QQ, and collect information about the infected system, including the processor model, information about the screen resolution and the installed programs.
According to Velvet Security experts, the attackers injected the malicious code into the EasyLanguage compiler used by a large number of application developers. The malicious version embedded the ransomware code in all applications that were compiled with it.
Once on the system, the extortionist encrypts all files on the device, except for those that have the .gif, .exe, and .tmp extension. To bypass the antivirus, the malware authors signed it with a Tencent Technologies digital certificate. In addition, in order to avoid detection, the extortionist ignores the Tencent Games, League of Legends, tmp, rtl, and Program folders.
For the payment of the required amount of victims is given three days. If there is no payment, the attackers threaten to remove the decryption key from the server. However, as it turned out, users themselves can decrypt the files, since a copy of the decryption key is stored locally on the victim's computer.
The experts managed to gain access to the control server and the MySQL database of the attackers, where they found thousands of credentials. The researchers provided all available information to the Chinese law enforcement agencies for further investigation.