Ransomware header

Chinese law enforcement have arrested the developer of the UNNAMED1989 / WeChat Ransomware that recently took China by storm and infected over 100K users in a few days.

The UNNAMED1989 Ransomware was released on December 1st and in a matter of days quickly infected 100k victims. This ransomware would encrypt a victims files using XOR encryption and then display a QR code where they demanded a ransom payment of 110 Yuan, or approximately $16 USD,  to be paid via WeChat.

UNNAMED1989 / WeChat Ransomware
UNNAMED1989 / WeChat Ransomware

According to a report from Chinese media, with the help of Tencent and Qihoo's 360 Security teams, the authorities were able to track down and arrest a 22 year old man named Luo Moumou on December 5th. After his arrest, Moumou allegedly admitted to the creation of this ransomware.

Ransomware Arrest
Ransomware Arrest
Source: weibo.cn

This report states that Moumou created a development module that was promoted as allowing users to steal Alipay accounts and their associated funds. This module, though, contained the ransomware code and any other programs that utilized the module would help to spread the ransomware.

"In June 2018, Luo Moumou independently developed the virus "cheat", which was used to steal the account password of others Alipay, and then steal funds by means of transfer," stated a report by Weibo.cn. "At the same time, a development software module containing the "cheat" Trojan virus code is produced and published on the Internet."

As this ransomware would also steal passwords for popular Chinese sites, the authorities are recommending that users change the password for Alipay, Baidu Yun, Netease 163, Tencent QQ, Taobao, Tmall and Jingdong.

Moumou has been criminally detained by the police as the case is further investigated.

Decryptors available for the UNNAMED1989 Ransomware

Thankfully, the UNNAMED1989 Ransomware only utilized XOR encryption, so decryptors have been released by Tencent and the Velvet Security Team


Using these decryptors, victims can get their files back for free.

Thx to Fly for the tip!

Related Articles:

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Company Pretends to Decrypt Ransomware But Just Pays Ransom

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens

The Week in Ransomware - November 30th 2018 - Indictments, Sanctions, & More