Chinese law enforcement have arrested the developer of the UNNAMED1989 / WeChat Ransomware that recently took China by storm and infected over 100K users in a few days.
The UNNAMED1989 Ransomware was released on December 1st and in a matter of days quickly infected 100k victims. This ransomware would encrypt a victims files using XOR encryption and then display a QR code where they demanded a ransom payment of 110 Yuan, or approximately $16 USD, to be paid via WeChat.
According to a report from Chinese media, with the help of Tencent and Qihoo’s 360 Security teams, the authorities were able to track down and arrest a 22 year old man named Luo Moumou on December 5th. After his arrest, Moumou allegedly admitted to the creation of this ransomware.
This report states that Moumou created a development module that was promoted as allowing users to steal Alipay accounts and their associated funds. This module, though, contained the ransomware code and any other programs that utilized the module would help to spread the ransomware.
“In June 2018, Luo Moumou independently developed the virus “cheat”, which was used to steal the account password of others Alipay, and then steal funds by means of transfer,” stated a report by Weibo.cn. “At the same time, a development software module containing the “cheat” Trojan virus code is produced and published on the Internet.”
As this ransomware would also steal passwords for popular Chinese sites, the authorities are recommending that users change the password for Alipay, Baidu Yun, Netease 163, Tencent QQ, Taobao, Tmall and Jingdong.
Moumou has been criminally detained by the police as the case is further investigated.
Decryptors available for the UNNAMED1989 Ransomware
Thankfully, the UNNAMED1989 Ransomware only utilized XOR encryption, so decryptors have been released by Tencent and the Velvet Security Team.
Using these decryptors, victims can get their files back for free.
Thx to Fly for the tip!