Velvet Security: A new strain of malware is spreading fast in China. In four days the ransomware has infected more than 100,000 PCs. This, thanks to the fact that the cyber criminals have compromised a supply chain

A new strain of malware is spreading in China. It has been discovered by Velvet Security cyber security experts. It’a a ransomware that has rapidly infected over 100,000 PCs in just four days. This thanks to the fact that the cyber criminals have compromised a supply chain. The malicious actors request victims to pay 110 yuan (nearly 14 Euros) through WeChat Pay within 3 days to decrypt the files. If he doesn’t pay the ransomware in time, the malicious code will delete the decryption key from the C&C server. “According to the monitoring and evaluation of the ‘Colvet Threat Intelligence System’, as of the evening of the 4th, the virus infected at least 100,000 computers,” reads the analysis of the researchers “Not only locked the computer. The document also steals information on tens of thousands of user passwords on platforms such as Taobao and Alipay.”

The malware also implements password stealing abilities and collect information and list of installed software on victim’s machine

The malware also implements password stealing abilities. The ransomware is able to steal users’ credential for popular Chinese services, including Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall , AliWangWang, and QQ websites. Furthermore, it collects information on the infected system, including CPU model, screen resolution, network information and list of installed software. The cybercrime, to maximise the spread of the code, compromised the supply chain of the “EasyLanguage”. A programming software, used by a large number of application developers. It’s used by hackers to inject the malware into every software compiled through the program. Moreover, to avoid detection, the author signed the code with a trusted digital certificate, issued form from Tencent Technologies, and avoid encrypting data in some specific directories like Tencent Games, League of Legends, tmp, rtl, and program. The cyber security experts attributed the ransomware to a software programmer named “Luo”.

The Velvet Security Analysis (in chinese)