Some cyber criminals have recently hacked Chinese government websites and encrypted files on their computers’ hard drive, demanding cryptocurrency ransom in return for the restoration of the encrypted data.

According to a notice released Mar.13 by the People’s Government of Yiling District, Yichang (located in western Hubei province, China), the cyber police detected that a group of overseas hackers has been attacking the government websites in China since March 11 via ransom emails whose subject line reads “You must report to the police at 3:00 pm on March 11!”.

Technical analysis indicates that the ransomware contains the latest version of the infamous Gandcrab malware, which is one of the most prolific ransomware viruses worldwide that encrypts files on the compromised computer and demands a payment to decrypt them. The ransomware is hidden in the email attachment named “03-11-19.rar”, once a computer runs the GandcrabV5.2 malware, the files on its hard drive will be encrypted. Then the victim will be directed to download the Tor browser (an anonymity network) and pay ransom in cryptocurrency on Tor.

It remains yet to be known the scale of the attack, while as long as users do not open email attachments with unknown sources, they won’t be susceptible to ransomware attack. An anonymous government official said he has received a warning notice about the attack this morning, and he believes all government departments in the country have been warned about it. According to him, they often receive such warning notices about cyberattacks and will be told precautionary measures against them, but it is the first time they see hacking demanding cryptocurrency ransom.

It is notable that the ransomware email was sent from the sender in the name of “Min, Gap Ryong”. Though the hackers’ identity and the origin of the cyber-attack is not yet confirmed, the sender’s Korean name seems to allude to the notorious North Korean hackers.

Last week, cybersecurity firm McAfee found that a group of North Korean hackers, likely Lazarus Group, have been actively targeting U.S. businesses and “critical infrastructure”, as well as critical sectors in Germany, Turkey and the U.K. Crypto exchanges have also been victims of the hacking syndicate. The group is reportedly behind 5 hacks on crypto exchanges totaling $571 million hacked during the period from Jan 2017 to Sep 2018.

Since cryptocurrency gains great value together with mainstream exposure over the past few years, crypto ransomware attacks, from CryptoLocker to WannaCry and NotPetya, have been rampant. At its height in late 2013 and early 2014, over 500,000 machines were infected by CryptoLocker; In 2017, the WannaCry ransomware, spreading globally, were detected in more than 250,000 detections in 116 countries. Hackers lurking in the shadows are now posing threat to governments.