A new ransomware has been discovered named WeChat, and unlike the legitimate WeChat, service, this ransomware will encrypt a user’s local files and steal credentials for Chinese Online services. The ransomware was first seen on December 1st targeting Chinese users. WeChat Ransom has infected over 100,000 users since it first surfaced in the wild and demands a payment of 110 yuan ($16 USD) for the files to be decrypted. Victims can make the payment through Tencent’s WeChat payment service by scanning a QR code. The author of the ransomware used Douban, a Chinese social networking service, for sending out commands. According to researchers, “the malware propagated through a compromised popular application designed to manage multiple QQ accounts at the same time. Additional data reveals that the malware author poisoned at least 50 applications to spread the ransomware.” Further investigation revealed that the ransomware is far from being complex. Researchers gained access to two servers that are used for storing data and discovered over 20,000 passwords for Alipay and Taobao on one of the servers. Other stolen credentials for services include 163, Aliwangwang, Baidu Cloud, JingDong, Tmall, and QQ. It is currently unclear who is behind the ransomware but researchers believe they may have found the author’s name, email address, phone number and QQ account. Additional information was also found after running a domain search.
For any user that becomes a victim of the WeChat Ransom ransomware, there is no need to worry. Several security companies including Huorong, Qihoo, and Tencent have made decryption tools available for this particular ransomware. The WeChat Ransom primarily targeted Chinese users and was very quickly shut down.