Ransomware - a new type of chinese version changes the Windows Login Password and force users to pay to unlock their computer.
Symantec Security Researchers found a ransomlock malware, written in Easy Programming Language, spread mostly through a popular Chinese instant messaging service. Once a computer is compromised, It changes the login credentials of the current user and restarts the system using the newly created credentials.
The login password is changed to “tan123456789” and account name is changed to “contact [IM ACCOUNT USER ID] if you want to know the password” (English translation).
If victims contact the IM account provided by the cybercriminals, they’re instructed to pay 20 Chinese Yuan ($3.25 / €2.42) if they want the new password.
Symantec experts have been able to determine the password because it’s hardcoded in the sample they’ve analyzed. However, the cybercriminals can change it at any time. Symantec detects this threat as Trojan.Ransomlock.AF. For users already infected with this threat, there are several ways to restore system access:
How to restore from Chinese Ransomware:
- Use password “tan123456789” to log into the system and reset the password
- Use another administrator account to log into the system and reset the password
- If your current account is not a super administrator account, enter safe mode and log in as super administrator and then reset the password
- Use Windows recovery disk to reset the password