“The extortion virus” came back, this time not bitcoin, but on the WeChat pay!

Photo source: a perturbed net

Remember the global bitcoin blackmail “WannaCry” 1 and a half years ago?

It is extorted by encrypting important files in your computer and asking the victim to pay bitcoin to unlock the file. At that time, the public security network, such as the entry and exit of China, police station and other public security networks had been suspected of a virus attack, and had to temporarily suspend the entry and exit business; many gas stations under the flag of CNPC were once “broken net” because of the virus attack, and the online payment business was once interrupted; the extortion virus was raging in the campus network of our country, and even the graduation design papers of a number of graduates were locked.

A year and a half later, when “WannaCry” was gradually forgotten, another extortion virus broke into people’s vision. However, in the view of Internet security experts, the “technical level” of the extortion virus, compared to “WannaCry”, does not know where to go.

Do not have bitcoins and pay for WeChat

In December 1st, for the first time in China, a ransom called for WeChat to pay for ransom was the first time in China.

The virus’s extortion, like “WannaCry”, will encrypt user files after the invasion of the computer, but it does not charge bitcoins, but requires the victim to scan a WeChat two-dimensional code that pops up to pay a ransom.

“WannaCry” will scan the Windows machine that opens the 445 file sharing port without any user operation. As long as the machine is on the Internet, the illegal elements can be implanted in the computer and server with blackmail, remote control Trojan, and virtual money diggers.

This kind of Trojan will encrypt the 114 formats of docx, PDF, xlsx and JPG in the infected computer, so that it can not be opened normally, and the bullet window “extortion” victims, requiring the victim to pay the bitcoin as “ransom”, while the price of the bitcoin at that time was about 10000 yuan left and right.

This time WeChat pays the extortion virus, after the infection will encrypt TXT, office documents and other valuable data, and release a “your computer file has been encrypted, decipher” shortcut on the desktop, then pop-up the decryption course and receipt of two-dimensional code, and finally forced the victims to pay decryption fees through the mobile phone transfer. But the extortion did not modify the name of the file suffix.

Extortion interface of the extortion virus (photo source: Swiss WeChat public number)

The extortion virus encrypts the file after the window prompts, requiring the user to deliver 110 yuan of ransom decryption before December 3rd this year, if the time is exceeded, the server will automatically delete the key.

A “pupil” level virus

At first glance, these two viruses are all “asking for money”, but some Internet security teams, after analysis, found that it was “very simple” to crack the virus.

Some Internet security teams have found that the extortion virus is written in easy language, and the language is a programming language that uses Chinese as a program code. It belongs to the primary entry level language. From this point we can see that the code level of the blackmail virus author is still relatively primary. And easy language tools such as “account operation V3.1” used by the virus communicators will be directly killed by antivirus software.

Second, the writer of the extortion virus took the way of “WeChat payment” for extortion and asked to pay a 110 yuan ransom. “WannaCry” uses bitcoin as a ransom because hackers want to take advantage of the concealment of bitcoin to avoid tracking. And “WeChat payment” way, for WeChat team, it is very easy to track. (at present, the two-dimensional code has been frozen by WeChat).

Virus author WeChat collection two dimensional code (already frozen) image source: Swiss WeChat public number

At the same time, the extortion virus is simple or encrypted, and the decryption key related data is stored in the virus file. So even if you do not access the virus author server, you can successfully decrypt the data.

The safety team of the domestic antivirus software, red star, even called the virus the “pupil” level of the blackmail virus.

Although in the view of security experts, the “level” of the virus is not very high, but it still causes a lot of trouble. According to the global network, the “WeChat payment” of the extortion virus is rapidly spreading, and the number of infected computers is increasing. The virus gang invaded and used the bean C&C server to steal the app’s password, such as Alipay, in addition to the death of the victim file and the ransom.

First, the virus is able to use the “supply chain pollution” to spread, and now has infected tens of thousands of computers, and the scope of infection is still expanding; secondly, the virus also stolen the user’s various types of accounts, including Taobao, Tmall, Ali Wangwang, Alipay, 163 mailbox, Baidu cloud disk, Jingdong, QQ account and so on.

According to the China news network, the Tencent Inc has said WeChat has been the first to freeze the blackmail author’s account for the first time. WeChat users’ property and account safety are not threatened. At the same time, remind the majority of users, the extortion virus may be in any form of payment to ask for transfer, if encounter extortion, do not pay, timely alarm.

The blackmail software causes millions of dollars a year

In the impression of the ordinary people, the extortion software seems to have appeared in the last two years, but in fact, the appearance of the extortion software has been nearly 30 years ago.

Extortion software (English: Ransomware) first appeared in 1989, when Joseph L.Popp, a graduate of the Harvard University, created the first extortion software AIDS Trojan.

In 1996 years, a security specialist at the Columbia University and IBM wrote a file named Cryptovirology, clearly outlines the concept of Ransomware ransomware: normal use of malicious code interference poisoning, only to return to normal pay.

Photo source: a perturbed net

For the first time using bitcoin as payment means of extortion extortion encryption software appeared ransom at the end of 2013 — a virus known as CryptoLocker using bitcoin cash trading platform. This method is successful in just one month, infected millions of computer, and collect the ransom money of $27 for each computer.

According to the Federal Bureau of investigation (FBI) released in recent years the “Internet crime report” (Internet Crime Report), 2017, extortion software in the United States caused a loss of about $2 million 340 thousand, in 2016 for about $2 million 430 thousand, while the 2015 loss of $1 million 600 thousand.

These figures are only based on the received FBI report, there are many victims for avert disaster psychology, choose to pay the ransom, but not to the police.

Leave a Reply

Your email address will not be published. Required fields are marked *