Security Advisory – Ransomware Attack Targeting China – December 2018

Ransomware Attack Targeting China – Security Advisory

A new ransomware strain spreading as a result of supply chain attack targeting Chinese users starting from December 1 and infected more than 100,000 computers.
The ransomware not only encrypting the system files, but it is also capable of stealing login credentials of popular Chinese online services such as Taobao, Baidu Cloud, NetEase 163, Tencent QQ, Jingdong, and Alipay.
Velvet security researchers who analyzed the ransomware variant found that the attackers added malicious code to “Easy language” programming software and the malicious code will be injected to various other software compiled with it.
In total more than 50 software poisoned with the malicious code, and the ransomware operators using Chinese social networking Douban for C&C communication. The Ransomware also tracks the details of the software installed on the victim’s computer.
It encrypts data using a less secure XOR cipher and stores a copy of the decryption key locally on the victim’s system itself in a folder at following location: %user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg

Fig: Executable files modified through Supply Chain Attack

System version information, current system login username, system login time
CPU model.
Screen resolution.
IP and broadband provider name.
Software installation information.
Security software process information.
Online shopping account login information, email login information, QQ number login information, network disk login information, etc.

Phishing Email – A user will receive an Email with malicious Link in the body
Email Attachments – A user will receive an Email with an Attached Innocent
Embedded Hyperlink – A Malicious Document Contains Embedded Hyperlink
Websites & Downloads – A Users Browser the infected site and Compromised website and download a software.
Drive by Infection – A User Browser with old Browser, Malicious plug-in, an unpatched third-party application.

Take regular backups of your data.
Don’t download the software called “EasyLanguage”.
Enable Windows 10 Ransomware Protection/ Controlled Folder Access.
One of the main infection vectors is Microsoft office document so make sure your Microsoft office Macros are disabled by
Keep the Firewall up to date to block suspicious
Scan all your emails for malicious links, content, and
Make sure that Sophos anti-virus protection is up to date and enabled in all the
Don’t Provide local administrator rights by default, also avoid high privilege by
Enforce access control permission for the concerned user and allow them to access the files which they actually needed to access for their work.
Provide proper training for your employees about ransomware attack. Educate the users to not open suspicious links.
Block the Ads and unnecessary web content using Ad-Blocker and Proxy/Firewall
Always download the software’s from trusted websites.
As mentioned, it encrypts data using a less secure XOR cipher. So, In case of attack, Velvet security team created and released a free ransomware decryption tool that can easily unlock encrypted files for victims without requiring them to pay any ransom. URL: https://www.huorong.cn/download/tools/HRDecrypter.exe