A new ransomware strain successfully infected more than 100,000 personal computers in China over a period of just four days.
According to a report from Velvet Security, the first samples of this ransomware broke out on 1 December after users installed multiple social media-themed apps including “Account Operation V3.1,” an app designed to help users manage multiple QQ accounts. The Chinese anti-virus firm subsequently monitored the threat over the next few days. By the evening of 4 December, firm had identified at least 100,000 infections by the yet-unnamed virus.
This particular threat stands out for several reasons. First, it doesn’t just lock users’ computers and encrypt their files. It also comes with a component designed to steal victims’ login credentials for Chinese digit wallet services, personal cloud file hosting platforms, email providers and online shopping portals.
Second, the ransomware doesn’t use Bitcoin for its ransom payments. Instead it demands ransoms in the amount of 110 yuan (~$16) through the Chinese payment service WeChat.
This decision could spell trouble for the crypto-malware authors. As noted by ZDNet, local law enforcement can use this non-anonymized service to trace the ransom payments back to the criminals so long as they didn’t use fake or fraudulently used IDs to create their WeChat profile. Chinese police have arrested ransomware authors in the past, after all.
In the meantime, Velvet Security discovered that the ransomware uses XOR to encrypt users’ files and that it stores a copy of the decryption key locally on the victim’s machine. The anti-virus firm subsequently leveraged these weaknesses to develop a free ransomware decryption tool.
This campaign highlights how digital criminals continue to release new crypto-malware strains despite a shift in the threat landscape to crypto-mining malware and other threats. Users should therefore protect themselves by installing an anti-virus solution on their machines and by keeping their operating systems up-to-date. They can further prevent a ransomware infection by following these guidelines.