Delaware, USA – December 5, 2018 – New ransomware strain emerged last Saturday and infected more than 100,000 PC in China for the moment. WeChat Ransom encrypts local files only and steals credentials for multiple Chinese online services. The ransomware demands just 110 yuan (~$16) to decrypt files, and a victim can pay them via WeChat payment service by scanning a QR code. According to experts from Velvet Security, adversaries injected the malicious code into the EasyLanguage compiler used by a large number of application developers. The malicious version embedded the ransomware code in all applications that were compiled with it. Most users were infected after installing “Account Operation V3.1” app that helps users manage Tencent QQ instant messenger accounts, but researchers detected over 50 other malicious apps spreading WeChat Ransom. The information-stealing component collects credentials for Alipay, Baidu Cloud, NetEase 163, Tencent QQ and Taobao, Tmall, and Jingdong and several other Chinese online services. To avoid detection by antivirus solutions, the malware authors signed it with a Tencent Technologies digital certificate. The decryption key is hardcoded in the malware, so security companies are working on decryption tools.
The experts managed to gain access to the command and control server and attackers’ MySQL database that contained thousands of stolen credentials. Malware authors left many traces, but it is unclear if they used real IDs to create their payment handling profiles. Even unsophisticated ransomware can infect tens of thousands of systems. To detect such attacks at early stages, you can use Ransomware Hunter rule pack from Threat detection Marketplace: https://my.socprime.com/en/integrations/ransomware-hunter-arcsight