Hackers among most vulnerable to China’s first WeChat Pay ransomware

Creators of illicit software may have been the most vulnerable targets of a recent, apparently homegrown, ransomware effort in China.

Attacks were first reported on the night of December 1, according to antivirus software provider Huorong Security. The software encrypted important files in .doc, .txt, .jpg, and other formats, and also stole 20,000 passwords and other pieces of data from Taobao and Alipay platform users, among others. The attack affected only PCs, The Paper reports, and a majority of victims were likely illicit software creators or purveyors who often don’t use security software.

Taobao, Tmall, and Alipay accounts were most affected by the hack, followed by Aliwangwang, 163 email, QQ email, QQ accounts, JD.com, and Baidu Pan. Unit: Number of incidences. Image credit: Huorong

The incident marks the first time Chinese ransomware creators have used a (traceable) WeChat QR code to demand payment, with users asked for RMB 110 (around $16) to unlock their documents.

Software security companies including Huorong, Tencent, 360, and others moved quickly to upgrade their security systems and provide decryption keys to affected users. By the night of December 2, Tencent states, the account receiving payments had been shut down.

A company representative told TechNode that the QR payment code has also been frozen, and neither WeChat users’ money nor their account safety had been affected. The company’s claims could not be verified by TechNode.

Alipay made similar assertions, saying that there were no signs the hack affected its users’ accounts. It added that in the “unlikely” case of data theft, losses would be paid back in full.

As of Tuesday night, Huorong stated, 100,000 computers had been infected by the ransomware, although those who had upgraded their security systems should be safe.

Following the data trail to its source on GitHub, Huorong found that the malware originated from a person surnamed Luo. His identity has since been shared with police.

According to Huorong, the malware entered various software products and programs developed using Chinese programming language EPL (literally, Easy Programming Language).

Although the hack eventually affected multiple popular platforms, Huorong determined that WeChat Pay and Alipay played no direct roles in spreading or creating the virus, and the companies’ platforms also didn’t have any significant security weaknesses.