Police arresting ransomware author in Anyang, China

Chinese authorities have arrested two men who have distributed a version of the SLocker Android ransomware that was customized to look like WannaCry, the Windows ransom-worm that spread across the world in the middle of May.

The arrests took place on June 7, a mere five days after security experts from Qihoo 360 and Tencent Security Lab had spotted first infections.

Ransomware disguised as plugin for popular Chinese game

The authors of this ransomware were spreading their payload disguised as a plugin for King of Glory, a very popular mobile game in China.

This WannaCry lookalike was based on a variant of the SLocker ransomware, an Android ransomware variant that has recently seen a resurgence of activity in the first half of 2017.

Police said the ransomware made less than 100 victims. The ransomware's impact was limited because its authors didn't have the experience necessary for mass distribution. The two authors used links on Chinese forums to spread their boobytrapped Kings of Glory plugin.

Ransomware devs made a series of mistakes

When Bleeping Computer first covered this ransomware campaign, we also noted their lack of expertise and experience with ransomware operations because the group used easy-to-track payment methods to handle payments from victims.

The two authors asked victims to send  40 Chinese Renminbi ($6) via Chinese payment providers QQ, Alipay, or WeChat. These payments left a trail of clues leading back to the authors, especially in a country as heavily regulated as China.

Authorities didn't say how they tracked down the two authors, but they said that on June 7, they arrested a 20-year-old man named Chen from Wuhu (Anhui province), and a 13-year-old boy named Jinmou from the city of Anyang (Henan province). Police say the first was in charge of creating the ransomware, while the latter suspect was in charge of the distribution.

Devs arrested five weeks after deploying their ransomware

Investigators seized phones and electronic equipment from both suspects. Police said they found 34 malware samples on the seized devices.

Evidence suggests the two started working on their ransomware in May, and they released it on June 2. Because of mistakes the two made in handling payments and hiding their tracks, they both ended up in police custody in less than a week after starting their ransomware campaign.

Chinese cyber-security company Tencent played a crucial role in the investigation and in unmasking the crooks.

Image showing Chinese police officers arresting suspect named Chen. Image credit: Henan Anyang Police