WeChat Pay Ransomware – How to Remove It

WeChat Pay Ransomware – How to Remove It


with Combo Cleaner

Scan Your System for Malicious Files
Note! Your system might be affected by WeChat Pay ransomware and other threats
Threats such as WeChat Pay ransomware may be persistent. They tend to re-appear if not fully deleted. A malware removal tool like Combo Cleaner will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
Combo Cleaner’s scanner is free but the paid version is needed to remove the malware threats. Read Combo Cleaner’s EULA and Privacy Policy.

This article will aid you to remove WeChat Pay Ransomware. Follow the ransomware removal instructions provided at the end of the article.

WeChat Pay Ransomware is one that encrypts your data and demands money as a ransom to get it restored. The WeChat Pay Ransomware will leave ransomware instructions via a lockscreen instance. Keep on reading the article and see how you could try to potentially recover some of your locked files and data.

Threat Summary

NameWeChat Pay ransomware
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files and leave a ransom note with payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by WeChat Pay ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss WeChat Pay ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

WeChat Pay Ransomware – Distribution Techniques

The reports about the Wechat Pay ransomware showcase that it is distributed mainly via supply-chain attack. By definition this is an attack intrusion that focuses on less-secure elements in a certain company’s infrastructure. Further information about the exact route of infection is not known at this stage.

What we know so far is that this is devised as a special attack against Chinese targets. It is very possible that the route of infection is the installation of infected software package. Such tactics take the legitimate installers of popular applications which are often installed by end users: system utilities, creativity suites and productivity applications or even games. Once they are executed by the engine the WeChat Pay ransomware will be started.

The distributed ransomware carriers have also been found to implement stolen digital certificates from Tencent Technologies. This explains the massive number of affected users which were reported at the onset of the attack campaign.

The known information about the hacker or criminal group behind the WeChat Pay ransomware attacks is a nick name “Luo”. The researchers were able to follow their QQ account number, mobile number, email IDs and their Alipay ID. The WeChat service has suspended the identified account which should stop the attacks coming in with this configuration.

WeChat Pay Ransomware – Detailed Analysis

As soon as the WeChat Pay ransomware is started it will start its built-in sequence of commands as per the current configuration. The analysis of the collected samples shows that one of the first components that are run is the password stealing one. It can scan the local hard drive, installed applications and the operating system environment for the following services: Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall , AliWangWang, and QQ.

All collected information that is hijacked will be reported to the criminals via a server connection. The local ransomware will establish a link with the hackers notifying them of the hijacked data. Other consequences of this action also includes the following:

  • Data Theft — The service connection can be used to hijack user data before they have been encrypted.
  • System Data Changes — Via this Trojan connection the criminals can manipulate the system by accessing and editing Windows Registry settings belonging both to the operating system and the third-party installed applications. This can result in the inability to launch certain functions or operations, as well as cause severe performance issues.
  • Additional Malware Infections — If instructed so the WeChat Pay ransomware infection can lead to the delivery of other malware.

Additionally the ransomware engine has been found to generate a report of the installed hardware components and other data that may be useful in analyzing the results of the attack campaign. The collected data may be used to generate a machine infection ID which is associated with every single compromised host.

WeChat Pay Ransomware – Encryption Process

As soon as the prior components have completed execution the actual ransomware engine will be started.

The XOR cipher has been identified to be used against the user data. The captured releases have been found to store the decryption key in the following location:


A lockscreen instance will then be displayed to the victims notifying them that they have to pay a ransomware fee of 110 yuan in order to get access back to their data.

NOTE: A decryptor has been released for the captured early versions. You can attempt file recovery by using it.

Remove WeChat Pay Ransomware and Try to Restore Data

If your computer system got infected with the WeChat Pay ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Note! Your computer system may be affected by WeChat Pay ransomware and other threats.
Scan Your MAC with Combo Cleaner
Combo Cleaner is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as WeChat Pay ransomware.
Keep in mind, that Combo Cleaner needs to purchased to remove the malware threats. Click on the corresponding links to check Combo Cleaner’s EULA and Privacy Policy.

Manually delete WeChat Pay ransomware from your Mac

1. Uninstall WeChat Pay ransomware and remove related files and objects
2. Remove WeChat Pay ransomware – related extensions from your Mac’s browsers

Automatically remove WeChat Pay ransomware from your Mac

When you are facing problems on your Mac as a result of unwanted scripts and programs such as WeChat Pay ransomware, the recommended way of eliminating the threat is by using an anti-malware program. Combo Cleaner offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.


Combo Cleaner

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share