A new malware variant has been discovered in China;在中国发现了一种新的恶意软件变种; this malicious program has infected over 100k devices in less than a week这个恶意程序在不到一周的时间内感染了超过10万台设备

Digital forensics specialists from the International Institute of Cyber Security report that a new variant of ransomware is quickly spreading in China.国际网络安全研究所的数字取证专家报告称，一种新的勒索软件正在中国迅速蔓延。 So far, the infection has already reached over 100k computers over the past four days due to a supply chain attack;到目前为止，由于供应链攻击，过去四天感染已超过10万台计算机; the number of infected computers keeps growing along the hours.受感染的计算机数量随着时间的推移而不断增长。

What keeps attracting the attention of the cybersecurity community is that, unlike other malware variants, this new ransomware does not demand a ransom payment in Bitcoin.不断吸引网络安全社区关注的是，与其他恶意软件变种不同，这种新的勒索软件并不要求比特币支付赎金。 Instead, hackers demand victims a payment for 110 yen (about $16 USD), figure that must be transferred through WeChat Pay, a function to perform transactions through the most widely used messaging service in China.相反，黑客要求受害者支付110日元（约合16美元），这个数字必须通过微信支付转移，微信支付是通过中国最广泛使用的消息服务进行交易的功能。

Password theft 密码被盗

So far, the evidence suggests that this malicious program has only affected users in China, unlike similar outbreaks, such as WannaCry or NotPetya.到目前为止，有证据表明，这种恶意程序只影响了中国的用户，不像WannaCry或NotPetya等类似的爆发。 In addition, this malware seems to have an additional password theft feature, for credentials used in services such as Alipay, Taobao, Tmall, AliWangWang and QQ.此外，这种恶意软件似乎还有一个额外的密码窃取功能，用于支付宝，淘宝，天猫，阿里王王和QQ等服务中使用的凭据。 Apparently the ransomware steals access credentials to these platforms and sends them to a remote server.显然，勒索软件窃取访问这些平台的凭据并将其发送到远程服务器。

According to reports of a China-based digital forensics firm, the operators of this campaign managed to deploy their attack by injecting malicious code into the EasyLanguage programming software, used by most of the app developers in China.根据一家中国数字取证公司的报道，该活动的运营商设法通过向中国大多数应用程序开发商使用的EasyLanguage编程软件注入恶意代码来部署攻击。

This program modified for malicious purposes was intended to inject the code of the ransomware into each app and software product compiled through EasyLanguage, making the virus spread incredibly quickly.此程序是出于恶意目的而修改的，旨在将勒索软件的代码注入到通过EasyLanguage编译的每个应用程序和软件产品中，使病毒迅速传播。

Over 100k users in China who installed any of the infected developments are now in a compromising situation.在中国安装任何受感染开发项目的用户超过10万，现在处于妥协状态。 This ransomware strain has shown to be able to encrypt all files of the infected system, with the exception of files with gif, exe and tmp extensions.这种勒索软件已经证明能够加密受感染系统的所有文件，但带有gif，exe和tmp扩展名的文件除外。

Stolen digital signatures 被盗的数字签名

To avoid antivirus solutions, hackers signed the malicious code with a seemingly reliable digital signature from Tencent Technologies, and they try not to encrypt files in specific directories, such as Tencent Games, League of Legends, tmp, rtl and program.为了避免防病毒解决方案，黑客用腾讯科技看似可靠的数字签名签署了恶意代码，并且他们试图不加密特定目录中的文件，如腾讯游戏，英雄联盟，tmp，rtl和程序。

According to experts in digital forensics , once the ransomware encrypts the user's files, a text file appears demanding the user to make the payment of 110 yen to the WeChat account linked to the malicious software.根据数字取证专家的说法，一旦勒索软件加密了用户的文件，就会出现一个文本文件，要求用户向与恶意软件链接的微信账号支付110日元。 The attackers mention that the user only has a three-day deadline to make the payment and receive the keys to restore their files.攻击者提到用户只有三天的截止日期来进行付款并收到恢复文件的密钥。 If the ransom is not covered in the time marked by the attackers, the program starts an automatic process of deleting the encryption key from a remote server.如果在攻击者标记的时间内没有涵盖赎金，程序将启动从远程服务器删除加密密钥的自动过程。

According to the collected evidence, the ransom note mentions that the files have been encrypted using the DES encryption algorithm, but in fact, the data is encrypted using an XOR cipher, a much less secure one that stores a copy of the encryption key in the victim's system in the following location:根据收集到的证据，赎金票据提到文件已使用DES加密算法加密，但事实上，数据是使用XOR密码加密的，XOR密码是一种安全性较低的密码，用于存储加密密钥的副本。受害者的系统位于以下位置：

%user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg ％用户％\应用程序数据\漫游\ unname_1989 \数据文件\ appCfg.cfg

A tool to remove encryption is already in development thanks to this information.由于这些信息，已经在开发一种删除加密的工具。 In addition, after receiving the reports of this attack campaign, WeChat suspended the account in which the attackers were receiving the ransom payment.此外，在收到此次攻击活动的报告后，微信暂停了攻击者收到赎金的账号。