Recently, over 20,000 PCs in China have fallen victim to WeChat Pay ransomware. Files on the affected devices are encrypted by the ransomware. To regain access to the files, users are asked to scan a WeChat QR code that appears in a pop-up window and pay 110 yuan (about $16) in ransom. So far, WeChat carrier has suspended the use of this QR code. It also steals passwords to popular platforms including Alipay, Baidu Cloud, internet company NetEase’s 163 email service, Tencent’s instant messaging platform QQ, Taobao, Tmall, and JD.com.
This virus spreads through “supply chain pollution”. The virus writer releases “EasyLanguage” programming software infected with the virus on forums and injects the virus into developers’ development environment for spreading.
Back Up Important Data Regularly.
- Do not install software from unidentifiable sources, such as those from a forum or netdisk. When installing software, you are advised to check the software signature.
- If your computer has been infected, use the NSFOCUS decryption tool (see the appendix) for file decryption.
- After the virus is removed, please change your passwords to Alipay, Baidu Cloud, NetEase 163 email service, QQ, Taobao, Tmall, and JD.com as soon as possible.
After receiving the virus sample, the NSFOCUS security team immediately analyzed the sample and found that it can only encrypt files in the user’s Desktop directory and its subdirectories but cannot encrypt files of less than 64 bytes. The sample selects files for encryption by extension names. Files with the following extension names are not encrypted.
The sample generates a byte flow of 0x7D000 for encrypting files. If the file is larger than the key, excess part of the file will not be encrypted. After the XOR (Exclusive Or) operation is performed between the decryption key and byte flow (\x05\x07\x30\x0c\x31\x1b\x0a\x71\x0d\x76\x02\x00), they are written into the local file, %Appdata%/Roaming/unname_1989/datafiles/appcfg.cfg. Therefore, this local file can be used for data restoration.
To keep file header information intact, the sample encrypts a file from the 20th byte of its content and all files are encrypted via XOR with the same encryption key.
After all files are encrypted, the following window pops up.
NSFOCUS security researchers have provided a decryption script for affected users to download for file restoration. The procedure is as follows:
Put the %appdata%/roaming/unname_1989/datafile/appcfg.cfg file and decryption script in the same directory.
Run the weixin_ransomware_decrypt.py appCfg.cfg [path of the file to be decrypted] command to decrypt the file.
The following is an example of encrypted file.
Run the decryption script:
After decryption, the file content is as follows:
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.
For more information about NSFOCUS, please visit:
NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.