In the past, hackers behind notorious ransomware attacks like WannaCry and NotPetya have required their victims to transfer ransom payments using untraceable cryptocurrencies like bitcoin in order to hide their identities from authorities. But a new kind of hack in mobile-centric China is asking the owners of hijacked computers to transfer money using WeChat, the country’s ubiquitous social platform.

The ransomware — as yet unnamed — was first reported on Saturday by Huorong Security, a company that provides anti-virus software and other network security solutions. Huorong identified the attack as a new type of ransom/bcrypt malware — a malicious software that threatens to publish the victim’s personal data or block access to it unless a ransom is paid. This time, the hacker used such a virus to hijack Windows PCs in China, encrypted documents saved to the desktop, and demanded that ransoms of 110 yuan ($16) be paid by scanning a WeChat QR code that popped up on affected users’ computer screens. The virus is also capable of stealing user logins to popular online platforms like Taobao, Tmall, Alitalk, Baidu Cloud, JD.com, and QQ. Huorong estimated that as of Monday, more than 20,000 people in China had been affected by the virus.

China’s two most popular mobile payment providers, WeChat and Alipay, responded to the cyberattack on Tuesday. A WeChat spokesperson said that the company identified the hacker immediately following initial reports of the hack and deactivated the QR code the hacker had been using to accept ransom payments. Alipay, meanwhile, said that it is monitoring the case closely but has yet to hear of any Alipay accounts being involved.

The hack marks the first time that a ransomware virus has requested payment via a WeChat QR code. Li Tiejun — an internet security expert at China’s leading anti-virus software company, Kingsoft — told Sixth Tone that because the hacker had used the QR code linked to his personal account, WeChat’s cybersecurity experts were able to identify him as soon as they learned of the scheme. Huorong’s security team was also able to trace the hacker using his QR code, handing over his name, phone number, and email address to police.

Although the hack has affected tens of thousands of users, Li says that the encryption techniques the hacker used were “very basic” and easily cracked. Li also noted that the ransomware only affects PCs, not smartphones or Apple devices. And even though the virus encrypts certain files, users can unlock them by updating their anti-virus software and running a system scan. Huorong mentioned in its report that the ransomware exclusively targeted Chinese internet users and has not yet posed a threat to people in other countries.

Liu Gang, the founder of PayNews.net, a Hangzhou-based online news service focusing on China’s mobile payment industry, told Sixth Tone that according to the country’s e-commerce law, electronic payment service providers could be liable to pay compensation to people who are hacked while using their platforms. An Alipay spokesperson also said that if Alipay accounts had been hacked in a similar fashion, the company would compensate affected users.

More than almost anywhere else in the world, China and its vast commercial sector are dominated by mobile payments. Driven by popular apps like WeChat and Alipay — used by 1 billion and 870 million people, respectively — mobile payments accounted for a record 295 trillion yuan in domestic transactions last year and are expected to hit 793 trillion yuan by 2021. Given that more and more online accounts — and the personal information they contain — are linked to mobile payment services, gaining access to such accounts is becoming more devastating to victims than the credit card-hacking schemes of yesteryear.

Editor: David Paulk.



(Header image: A customer prepares to scan a QR code to complete a transaction at a shop in Shanghai, March 20, 2018. IC)