The Hacker Behind WeChat Ransomware Is Caught After Stealing Passwords from 50,000 Users

WeChat Ransomware Author Caught

The prospect of using computers to illegally earn money from regular people seems appealing to quite a few wannabe criminals. Predictably, some are better than others. Luo Moumou, a Chinese individual who authored a new strain of ransomware known as WeChat or Unnamed1989, is, by the looks of things, one of the amateurs not just because he managed to get caught less than a week after launching his campaign, but also because his whole operation wasn't thought through at all. As we'll now find out, the 22-year-old would-be hacker made quite a few silly mistakes while creating his ransomware, and it's fair to say that he was never going to make it big. Even his appalling efforts, however, managed to create quite a stir.

Poor encryption, a modest ransom demand, and an unusual payment method shortened the lifespan of the WeChat ransomware

In most ransomware campaigns, demanding ransoms in cryptocurrency helps the criminals stay undetected. Bizarrely, Moumou decided not to bother with bitcoins and instead thought that he would collect the ransoms through WeChat – an instant messaging platform that supports payments. A QR code was included in the ransom note which made paying the ransom a fairly straightforward affair. The same QR code also helped law enforcement trace the money to Mr. Moumou and put a premature end to the whole operation.

Mr. Moumou isn't the most clever hacker the world has ever seen, and he doesn't seem to be terribly ambitious, either. Ransomware campaigns are so effective because they threaten to take away something very valuable – our data. Because our files are so dear to us, hackers don't shy away from demanding ransoms that usually run into several hundred (and sometimes, a few thousand) dollars.

Luo Moumou, however, decided that he'd ask for just 110 Chinese Yuan which translates into just $16 at the time of writing. If you think that $16 is a small price to pay for getting your files back, you're very much mistaken. It's precisely $16 more than you should pay because decrypting your files for free is not just possible, but rather easy.

For reasons that are not clear, the WeChat ransomware encrypts only a limited number of files and leaves a lot of data intact. What's more, although the ransom note tries to trick people into thinking that files are encrypted with a strong algorithm, the fact is, they are scrambled with a XOR cipher, and the key is stored locally which means that decrypting the information is not hard at all. Just two days after the first infections were reported, a Chinese security company known as Velvet Security released a free decrypter for WeChat ransomware victims.

Despite its shortcomings, the WeChat ransomware had a significant impact

The WeChat ransomware was never going to be a particularly scary piece of malware, and indeed, for most people, it wasn't a threat at all because it was aimed squarely at Chinese users. Nevertheless, its spread was nothing short of remarkable.

Reports don't seem to agree on one particular infection vector, which suggests that a number of lures were put in place. Apparently, an even greater number of people took the bait. The first infections popped up at the beginning of December, and in a matter of just a few days, the WeChat ransomware managed to affect a whopping 100 thousand computers. Not bad for a campaign that was destined to fail from the very start.

Luo Moumou's arrest and the free decrypter mean that the WeChat ransomware's file encrypting capabilities shouldn't cause too much of a trouble for victims. There was, however, a password stealing component that is a bit more threatening.

The stealer compromised passwords for online shops like and Tmall, digital wallet platforms like Alipay and Baidu Cloud, as well as some email and instant messaging services. All these, as you might imagine, are popular in China, and the number of people that could be at risk of account takeover sits at around 50 thousand. They could do worse than change the compromised passwords because while Luo Moumou, the person that stole the data, is unlikely to use it any time soon, he might have shared it with other people who probably aren't inconvenienced by an impending court trial. Needless to say, the new passwords must be strong and should never be reused.

Many cybercriminals don't really know what they're doing, and some, like Luo Moumou, end up facing the music. Even their clumsy attempts at stealing money from innocent users can sometimes do some very real damage. Keep that in mind while you're browsing the web.

December 10, 2018

Leave a Reply