News New Ransomware Spreading Rapidly in China Infected Over 100,000 PCs - Printable Version +- Red Security (https://redsecurity.info/cc) +-- Forum: General (https://redsecurity.info/cc/forumdisplay.php?fid=1) +--- Forum: News (https://redsecurity.info/cc/forumdisplay.php?fid=4) +--- Thread: News New Ransomware Spreading Rapidly in China Infected Over 100,000 PCs (/showthread.php?tid=868)

New Ransomware Spreading Rapidly in China Infected Over 100,000 PCs - Mad-Architect - 12-05-2018           In China, over 100,000 machines have been infected with a malware via a supply chain attack, and that number is growing. This particular malware, doesn't ask for a ransom but instead asks victims to pay 100 yuan [Almost 16 USD] to the attacker's WeChat Pay account, a payment feature by a popular messaging app in China. And, as of the writing of this article, unlike WannaCry, this ransomware only affects Chinese users.     If the payment is not made in the allotted time then the malware deletes the decryption key from its remote command-and-control server via an automated process. the malware has also been observed gathering system information such as CPU model, screen resolution, and network information.    It has been recently discovered by Chinese cyber-sec researchers that the malware was "poorly programmed" and that the attackers lied about the encryption process. A note with the ransomware states that all users' files have been encrypted using DES encryption algorithm, but in truth it creates a copy of the decryption keys using a less secure XOR cipher. A copy of the file can be found at this file location:    %user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg    The information found above was used to create a free ransomware decryption tool.    The suspect behind the attack is a user called "Luo" who is a software developer by profession. The information connected to the suspect matched with what was found on the attacker's WeChat account, his account has of now been suspended. The information on the suspect has all been given to the proper authorities.      Like the article? Feel free to comment. Have a good day and stay safe out there.     ---Mad Architect.