The Chinese ransomware attacks Windows user accounts
Symantec recently detected a computer threat belonging to the ransomware category, a malware that is dangerous because of the way it attacks PCs based on Windows operating systems even though it isn’t particularly complex to defeat. Trojan.Ransomlock.AF, as the malware is named, targets users of the Chinese Internet with an account on Tencent QQ (or “QQ”), an instant messaging service that is very popular within the Asian country.
Unlike other notable ransomware families like the infamous Gpcode, Trojan.Ransomlock.AF does not “kidnap” files or documents that are on the system to seek a money ransom, rather trying to kidnap the entire system: once it has been downloaded and (willingly) installed on the PC, the trojan modifies the Windows Registry by changing the access credentials of the currently logged user. The username is also replaced with an invitation to contact someone on QQ – likely the malware author himself – to get the new password required to unlock the account.
The cost for knowing this password, Symantec explains, is 20 Yuan or about 2.5 €. A clearly affordable price, and an unnecessary expense anyway considering that the Trojan.Ransomlock.AF creator coded the password (“tan123456789”) directly into the viral sample acquired by the USA security enterprise. The malware writer could decide to chance the password in a possible new variant of the trojan, Symantec warns, and in such a case the user should employ alternative methods (using a recover disk and safe mode access among the others) to restore the usual login credentials.
Further details on Trojan.Ransomlock.AF published by Symantec: the malware is written in Easy Programming Language (a language designed to ease software development for Chinese users); the Windows systems affected are Windows NT, Windows 2000, Windows XP, Windows Vista and Windows 7; the viral sample was initially detected on August 14, 2013; the trojan distribution level “in the wild” is Low.