Security experts reported a new strain of malware spreading in China, the destructive code quickly contaminated over 100,000 PCs in simply four days.

Regrettably, the variety of infections is quickly increasing because hackers jeopardized a supply chain.

It is interesting to keep in mind that this ransomware demands victims to pay 110 yuan (almost Euro 14) in ransom through WeChat Pay.

” On December 1, the first ransomware that required the “WeChat payment” ransom broke out in the nation. According to the tracking and examination of the “Colvet Threat Intelligence System”, since the night of the 4th, the infection contaminated at least 100,000 computers, not just locked the computer.” reads the analysis published by anti-virus firm Velour Security

” The document also steals details on 10s of countless user passwords on platforms such as Taobao and Alipay.”

Victims are prompted to pay the ransomware to assailants’ WeChat account within 3 days to get the decryption key. If the victim does not pay the ransomware within a particular time, the destructive code will erase the decryption key from the C&C server.

The destructive code also implements password stealing capabilities, the ransomware has the ability to steal users’ credential for popular Chinese services, including Alipay, NetEase 163 e-mail service, Baidu Cloud Disk, Jingdong (, Taobao, Tmall, AliWangWang, and QQ websites.

The ransomware also gathers information on the contaminated system, consisting of CPU model, screen resolution, network information and list of installed software application.

According to specialists from Velour Security, hackers compromised the supply chain of the “EasyLanguage” programming software utilized by a great deal of application developers.

The tainted software application is utilized by hackers to inject the harmful code into every software assembled through the shows software.

To prevent detection, author of the hazard signed the code with a trusted digital certificate released form from Tencent Technologies and avoid encrypting information in some specific directory sites, like “Tencent Games, League of Legends, tmp, rtl, and program.

Fortunately for the victims is that scientists had the ability to crack the ransomware; the specialists found that the malware uses XOR cipher, rather of DES, to secure the file, it likewise saves a copy of the decryption essential in your area on the victim’s system in the following path:

% user% AppData Roaming unname_1989 dataFile appCfg.cfg.

Velour specialists launched d a complimentary ransomware decryption tool that could be used to decrypt documents encrypted by the malware.

Specialists attributed the ransomware to a software programmer called “Luo,” they reported their discovery to the Chinese authorities.