Ransomware Within the Great (Fire)Wall

A new ransomware in the Chinese language has been found. Business targets a market – or a sector of a market. Ransomware is becoming more targeted in a way that mirrors daylight commercial business models. Now, it looks like it’s trying to get a nose into the expanding Chinese market.

This ransomware was discovered by TrendLabs researchers who named it Shujin. Although there hasn’t been a great deal of ransom activity the other side of the Wall, this isn’t the first incident. What is different about it is the language used in the demand and payment instructions; a spokesman for TrendLabs explains, “...this may be the first time that one used simplified Chinese characters. This character set is favored for use in mainland China“.

Shujin ransomware copies Western ransomware formats and demands payment by a TOR link in bitcoin. This is strange because it requires technical knowledge that most users in China are unfamiliar with. Previous (mobile) ransomware demands were made in the familiar Alipay form. Other contradictions to this targeting are the author’s recommendation to use Baidu instead of Google to find a browser supporting TOR, and the use of a proxy server or Virtual Private Network to get around Chinese restrictions.

One big problem with Shujin – this product is not very good quality – it doesn’t work. It looks like ransomware, talks like ransomware, but it doesn’t do any encryption. This was discovered by TrendLabs researchers.

The language is fluent and the grammar is apparently flawless, though the awareness of the market this ransomware was launched on is lacking. TrendLabs say, “Shujin’s lack of familiarity with the Chinese Internet landscape suggests attackers located outside of the country“. And with the flawed programming (no encryption), where did this originate?

Last year, the U.S President made an agreement with Xi Jinping to assist each others’ countries to investigate intellectual theft (hacking). This was welcomed after years of American complaints about cyber incursions. This accord may have caused many State-sponsored ‘computer consultants’ to become unemployed, and forced to look for alternative income. Shujin could have been launched by such ex-employees as a trial run – the Western-style aspects left in to provide a smoke-screen.

In March, four separate security firms spotted attacks that they say were launched from China. These firms observed that the attempted hacks were carried out by “skilled operators” and speculated about “state-sponsoring”.

One thing is for certain, Shujin has certainly divided the experts about its origins and motives. Wherever this ransomware originated, like those the failed before it – it is sure to return in a functional form.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.