WeChat Pay Ransomware – How to Remove It

WeChat Pay Ransomware – How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will aid you to remove WeChat Pay Ransomware. Follow the ransomware removal instructions provided at the end of the article.

WeChat Pay Ransomware is one that encrypts your data and demands money as a ransom to get it restored. The WeChat Pay Ransomware will leave ransomware instructions via a lockscreen instance. Keep on reading the article and see how you could try to potentially recover some of your locked files and data.

Threat Summary

NameWeChat Pay ransomware
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files and leave a ransom note with payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by WeChat Pay ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss WeChat Pay ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

WeChat Pay Ransomware – Distribution Techniques

The reports about the Wechat Pay ransomware showcase that it is distributed mainly via supply-chain attack. By definition this is an attack intrusion that focuses on less-secure elements in a certain company’s infrastructure. Further information about the exact route of infection is not known at this stage.

What we know so far is that this is devised as a special attack against Chinese targets. It is very possible that the route of infection is the installation of infected software package. Such tactics take the legitimate installers of popular applications which are often installed by end users: system utilities, creativity suites and productivity applications or even games. Once they are executed by the engine the WeChat Pay ransomware will be started.

The distributed ransomware carriers have also been found to implement stolen digital certificates from Tencent Technologies. This explains the massive number of affected users which were reported at the onset of the attack campaign.

The known information about the hacker or criminal group behind the WeChat Pay ransomware attacks is a nick name “Luo”. The researchers were able to follow their QQ account number, mobile number, email IDs and their Alipay ID. The WeChat service has suspended the identified account which should stop the attacks coming in with this configuration.

WeChat Pay Ransomware – Detailed Analysis

As soon as the WeChat Pay ransomware is started it will start its built-in sequence of commands as per the current configuration. The analysis of the collected samples shows that one of the first components that are run is the password stealing one. It can scan the local hard drive, installed applications and the operating system environment for the following services: Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall , AliWangWang, and QQ.

All collected information that is hijacked will be reported to the criminals via a server connection. The local ransomware will establish a link with the hackers notifying them of the hijacked data. Other consequences of this action also includes the following:

  • Data Theft — The service connection can be used to hijack user data before they have been encrypted.
  • System Data Changes — Via this Trojan connection the criminals can manipulate the system by accessing and editing Windows Registry settings belonging both to the operating system and the third-party installed applications. This can result in the inability to launch certain functions or operations, as well as cause severe performance issues.
  • Additional Malware Infections — If instructed so the WeChat Pay ransomware infection can lead to the delivery of other malware.

Additionally the ransomware engine has been found to generate a report of the installed hardware components and other data that may be useful in analyzing the results of the attack campaign. The collected data may be used to generate a machine infection ID which is associated with every single compromised host.

WeChat Pay Ransomware – Encryption Process

As soon as the prior components have completed execution the actual ransomware engine will be started.

The XOR cipher has been identified to be used against the user data. The captured releases have been found to store the decryption key in the following location:


A lockscreen instance will then be displayed to the victims notifying them that they have to pay a ransomware fee of 110 yuan in order to get access back to their data.

NOTE: A decryptor has been released for the captured early versions. You can attempt file recovery by using it.

Remove WeChat Pay Ransomware and Try to Restore Data

If your computer system got infected with the WeChat Pay ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share