What's Interesting? Unlike almost every ransomware malware, the new virus doesn't demand ransom payments in Bitcoin.
Instead, the attacker is asking victims to pay 110 yuan (nearly USD 16) in ransom through WeChat Pay—the payment feature offered by China's most popular messaging app.
It also includes an additional ability to steal users' account passwords for Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall , AliWangWang, and QQ websites.
A Supply Chain Attack — According to Chinese cybersecurity and anti-virus firm Velvet Security, attackers added malicious code into the "EasyLanguage" programming software used by a large number of application developers.
The maliciously modified programming software was designed to inject ransomware code into every application and software product compiled through it—another example of a software supply-chain attack to spread the virus rapidly.
Using Digital Signatures — To defend against Antivirus programs, the malware uses a program with valid signature to execute the virus code and also avoids encrypting data in some specific directories, like "Tencent Games, League of Legends, tmp, rtl, and program."
Once encrypted, the ransomware pops-up a note, asking users to pay 110 yuan to attackers' WeChat account within 3 days to receive the decryption key.
Besides encrypting user files, the ransomware also silently steals users login credential for popular Chinese websites and social media accounts and send them to a remote server.
It also gathers system information including CPU model, screen resolution, network information and list of installed software.
Poor Ransomware Has Been Cracked — Chinese cybersecurity researchers found that the ransomware has poorly been programmed and attackers lied about the encryption process.
The ransomware note says users’ files have been encrypted using DES encryption algorithm, but in reality, it encrypts data using a less secure XOR cipher and stores a copy of the decryption key locally on the victim's system itself in a folder at following location:
%user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg
Using this information, the Velvet security team created and released a free ransomware decryption tool that can easily unlock encrypted files for victims without requiring them to pay any ransom.
Researchers also managed to crack and access attackers' command-and-control and MySQL database servers, and found thousands of stolen credentials stored on them.
Who Is Behind This Ransomware Attack? — Using publicly available information, researchers have found a suspect, named “Luo,” who is a software programmer by profession and developed applications like "lsy resource assistant" and "LSY classic alarm v1.1"
Lua's QQ account number, mobile number, Alipay ID and email IDs match with the information researchers collected by following the attacker’s WeChat account.
After being notified of the threat, WeChat has also suspended the attackers account on its service that was being used to receive the ransom payments.
Velvet researchers have also informed Chinese law enforcement agencies with all available information for further investigation.
Chinese Hacker Behind WeChat Ransomware Arrested
UPDATE (06/12/2018) — Dongguan Police have arrested a 22-year-old Chinese man who has admitted his role in creating and spreading a new ransomware malware across China that has compromised over 100,000 computers in past five days, asking victims to pay ransom via WeChat payment service.
As explained in the article above, the hacker (whose name and identity was revealed by security researchers as Luo Moumou) didn't do much to clear his tracks, making it easier for authorities to track him down within 24 hours."After the trial, the suspect Luo Moumou confessed to the fact that he was making new ransomware to destroy the computer information system and using WeChat to pay for blackmail," Chinese media reported."According to his confession, in June 2018, Luo Moumou independently developed the virus 'cheat, which was used to steal the account password of others Alipay, and then steal funds through transfer." Moumou was arrested on December 5th from Maoming, a city located in southwestern Guangdong, China.
CEEH - (Certified Expert Ethical Hacker) Certification. This Is Advance Ethical Hacking Course You Will Learn In This Course
Chapter 1- Introduction Of Ethical Hacking
Chapter 2- Cyber Crime
Chapter 3- Foot-Printing
Chapter 4- Foot-Printing Pen-Testing
Chapter 5- Scanning
Chapter 6- Proxy Server
Chapter 7- Enumeration
Chapter 8- Banner Garbing
Chapter 9- Password Hacking
Chapter 10- Windows Hacking And Securing
Chapter 11- System Hacking
Chapter 12- Virus And Worm
Chapter 13- Physical Security
Chapter 14 - Ransomware
Chapter 15 -Sniffing
Chapter 16 -Social Engineering
Chapter 17 -Session Hijacking
Chapter 18 -Dos Attack
Chapter 19 -Stenography
Chapter 20 -Cryptography
Chapter 21 -Sql Injection
Chapter 22 -Web Server & Application Hacking
Chapter 23 -Buffer Overflow
Chapter 24 -Wireless Network Hacking
Chapter 26 -Sim Card Cloning
Chapter 27 -Android Hacking
Chapter 28 -Honey Port
Chapter 29 - Batch File Programing
And So On ...
Challenge EC-Council Course CEHv10 0r Update Version
.
Contact us:
Red Securium Pvt Limited Company
Red securium company provide best ethical hacking and cyber security training in noida.
Address: Block A, A-25, Second Floor, Sector 3, Noida, Uttar Pradesh 201301
Telephone number: +91-120 429 1672
Website : redsecurium.org
Email: info@redsecurium.org
Mobile number: +91-7455923827
Google+ Profile: Red Securium
Facebook profile: Red Securium
Twitter Profile: Red Securium
Instagram Profile: Red Securium
Comments
Post a Comment