A new piece of ransomware is spreading rapidly across China that has already infected more than 100,000 computers in the last four days as a result of a supply-chain attack, and the number is continuously increasing every hour.

What's Interesting? Unlike almost every ransomware malware, the new virus doesn't demand ransom payments in Bitcoin.

Instead, the attackers are asking victims to pay 110 yuan (nearly USD 16) in ransom via WeChat Pay—instant payment feature of China's most popular messaging app developed by Tencent.
Ransomware + Password Stealer — Unlike WannaCry and NotPetya ransomware outbreaks that caused worldwide chaos last year, the new Chinese ransomware has been targeting only Chinese users and includes an additional ability to steal users’ passwords for Alipay, NetEase's 163 email service, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall , AliWangWang, and QQ accounts.

A Supply Chain Attack — According to Chinese cybersecurity and anti-virus firm Velvet Security, the attackers injected malicious code into the "EasyLanguage" programming software used by a large number of application developers.

The maliciously modified programming software, promoted via various Chinese forums, has been designed to hide ransomware virus into every application and software product (a list of a few of them as shown below) compiled through it—another example of a software supply-chain attack to spread the virus rapidly.
More than 100,000 Chinese users who installed any of the infected applications got their systems compromised. The ransomware has been designed to encrypt users’ files on the infected system, except files with gif, exe, and tmp extensions.

Using Stolen Digital Signatures — To defend against Antivirus, the malware uses stolen digital signature from Tencent Technologies and avoid infecting data or files in some specific directories, like "Tencent Games, League of Legends, tmp, rtl, and program."

Once encrypted, the ransomware pops-up a note, asking users to pay 110 yuan to attackers’ WeChat account via the payment feature of instant messaging service within 3 days to receive the decryption key.
If not paid in 3 days, the malware threatens to delete the decryption key from its remote command-and-control server automatically.

Besides encrypting user files, the ransomware also silently steals users login credential for popular Chinese websites and social media accounts and send them to a remote server. It also gathers system information including CPU model, screen resolution, network information and list of installed software.

Poor Ransomware Has Been Cracked — Chinese cybersecurity researchers found that this ransomware has poorly been programmed, and lies about its encryption.

The ransomware note says users’ files have been encrypted using DES encryption algorithm, but in reality, it encrypts files using a less secure XOR cipher and stores a copy of the decryption key locally on the victim's system itself in a hidden folder at:

%user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg

Using this information, the Velvet security team created and released a free ransomware decryption tool that can successfully unlock encrypted files for victims without requiring them to pay any ransom.

Researchers also managed to crack and access attackers' one of the command-and-control servers and MySQL database servers, where they found thousands of stolen credentials as well.

Who Is Behind This Ransomware Attack? — Using publicly available information, researchers have found a suspect, named “Luo,” who is a software programmer by his profession and developed applications like "lsy resource assistant" and "LSY classic alarm v1.1"

Lua's QQ account number, mobile number, Alipay ID and email IDs match with the information researchers collected via following attacker’s WeChat account.

Moreover, after being notified of the threat, WeChat has also suspended the attackers account on its service used to receive the ransom payments.

Velvet researchers have also notified Chinese law enforcement agencies with the available information for further investigation.