For 1, right now it is still fairly easy to buy "identities" from black market to use with Chinese Internet services. With the so-called "4-piece set" (national ID card, SIM card, debit card linked to a bank account, U-shield (hardware 2FA key for online banking)), one can set up WeChat/Alipay to collect payments without revealing their true identity.
And those "4-piece sets" are not faked ones. People purchase those from slumdogs who woud like some extra cash and don't know or don't care what happens if their identities are used in criminal activities.
But with 2-5... It's possible that those dumb crooks were too dumb to consider that much and just used an WeChat account registered under their own name.
You can buy identities alright, the real challenge is how to cash out the money. The account will likely be locked upon investigation, if not, the moment whoever cash it over the ATM or counter will be arrested on site.
Scammers often hire innocent agent cash out these accounts. But still with very low success rate.
Well, too late to know for that guy, he's already been arrested[0]. Guys on Solidot[1] digged out many interesting things, including one issue he posted on one of he's own GitHub repo saying "Help! How can I delete this repo, I have to run!".
LOL
BUT, I almost feel pity for him. Take look the picture of him on the news[0], look the environment he's living in and how thin he is, pretty rough life I'd say.
I hope hes doing well in prison and become a better man after this. If he can write a virus capable of doing all that, then I think he will also doing well in most companies that does web related works.
For someone who works in this space this would be a simple framing attempt. I give that like one dimension, maybe one and a half. In reality it's probably just a dumb crook or someone doing it for the lulz.
Someone has a bot that scrapes Github for Discord bot tokens and deletes all content in servers it has permissions in and replaces it with info saying X person did it and to "come to his house."
Stuff like that is pretty common I feel for people to use against their enemies. Especially if it was designed to be small and got out of hand.
It could just be a person with some computer knowledge but not really smart enough to do an encrypted attack and if fake ID is as easy as some posters suggest, and they could very quickly and easily with the limited knowledge they had come out with a few thousand dollars then I don't think they were dumb or stupid. It may look stupid given how complex attacks can be these days but so too does the Nigerian Prince email look stupid. But he to this day is still looking for someone to help him with his money.
Also it's entirely possible they purposefully left the files recoverable via XOR instead of DES [1] because all they really care about is getting $16 from you, not punishing you if you don't.
[1] a distinction the author was clearly aware of as it claimed DES was used in the ransom note
Chabuduo - "near enough is good enough". Said when defending a half-assed solution that barely hangs together. Now that I think about it, I see this in codebases all the time.
Since WeChat is a central authority, it would be foolish to ask for payment to the ransomware author's actual WeChat ID. It's very likely whatever ID they're asking for payments to is automatically generated/pulled/guess/etc so that the ransomeware's only purpose is to cause havoc and/or waste the government's time. If the ransomware was created to earn money it would ask for cryptocurrency like all the others, but then it wouldn't have made as many headlines.
Alternative possibility: given the simple, traceable, almost begging-to-be-caught nature of the malware, and that it so easily led researchers to a name and address of a potential author, perhaps its goal is actually to frame someone... to take out a rival hacker, revenge, lulz, ...?
Not saying it's what's actually happening here, but it's something that has crossed my mind before about malware - that it would be comparatively easy to lead one or more false trails to shift blame for whatever reason, and I wonder how many pieces of malware have actually managed to pull this off, and pinned the blame on an obvious target, e.g. Chinese government, "russian hackers", etc.
Because they don't justification to take someone down. If the Party could take down high ranking Party members like Bo Xilai or massively popular celebs like Fan Bingbing or foreign citizens like that Swedish publisher or a group of people like the million Uighurs, they hardly need an elaborate scheme like this to take someone into custody.
I guess it depends on the image they want to project and the message they want to send. Sometimes there is a political end to a Government's posturing. Sometimes it's more than the end they're looking for, sometimes they need to set the scene first to control the narrative in a way that sells the story they want for their own political gain.
It's the game of wits from Princess Bride. They might want to take someone out, so you can't choose the wine in front of you. But, they must know you know that, so you can't choose the wine in front of them. But they may be trying to protect their image, and if so, you can't choose the wine in front of them either.
I heard recently about the degree of rivalry between Chinese Hacker groups and how some get rid of competition by framing them for attacks. Which is absolutely brutal if you remember some hacking offenses face the death penalty.
I mean yes, it is a remarkable technical achievement.
To use the analogy of an art thief, this is as if he had simply smashed some glass and made a run for it, without dealing with security systems and whatnot. He might make it out the door, but now the museum has him on video, they have his fingerprints, and they're probably going to get the stolen art back.
Why not just use mules (if that's the right term)?
The world has no shortage of desperate people who will jump at the chance to earn a few bucks "working from home," where they help "hardworking businessmen between banks" move money. Perhaps the excuse is different and culture-specific, but peoples' inclination to look the other way when they think it benefits them is universal.
Twist: use the previous victim as a recipient for the payment.
This would create an interesting spread incentive for the attack: once you are infected and you pay, you can still be reimbursed if you manage to infect someone else. You could even make this into a pyramid where several person's payment go to a parent carrier, and people will even want to be infected quickly to be closer to the top of the pyramid.
Or just use a random previous victim id. Now it becomes a viral non-consensual lottery and you benefit from spreading it.
You can't just signup for a WeChat ID right now. As of late 2017, when you signup for a WeChat ID it shows you a sign-up QR code. Someone who is a verified WeChat user (someone with WeChat Pay which has RealID) must scan and verify you before you are allowed.
Why not have the real WeChat ID hidden among randomly generated 'noise' WeChat ID's? Then the real attacker could get paid and still have plausible deniability.
This criminal mind is going to get me in trouble some day...
It's not hard to steal money. It's hard to get away with it.
Part of the difficulty is fighting greed, as the people that get caught are the ones that push their luck way too far. They're often wildly successful at first with more cautious approaches, but as they get more brazen they end up getting busted.
Although it's a little tricky here, but once you acquired necessary Chinese IDs with debit cards (more than easy), it's not too hard, old people in villages are more than willing to sell theirs for sevral hundred RMB.
As for authorities, oh they are more busy maintaining social stability, if your case(assuming they allow you to register your case since it's obviously a dead end that effects their stats vital for promotion) are lucky enough to be included in an operation couple months later then maybe they can find out which countries these hustlers are at and cases closed.
Yeah. I'm thinking the real issue with using a single set of probably bought/stolen ID and infecting a few hundred thousand PCs is that you attract just enough attention for the authorities to be motivated to track you down. And unlike cybercriminals attacking mostly Western targets, I doubt they're safely overseas.
Real life IDs can be forged/bought, multiples can be forged to verify others. There is no technical barrier to attacks on this sort of system, only financial barriers.
I've heard this before but I created a WeChat account last week and didn't have to provide anything other than a phone number for a SMS verification code.
In China, when you get a phone number, you have to give them your national ID/身份证. So anything you authenticate with a phone number could be traced back to you.
for anyone saying this is outright dumb, remember they are criminals.
They are probably receiving the money in different, probably years old, honest accounts. Which the real owner is compromised (e.g. hacked. or being coerced to send the payment out as soon as it is received under threats, etc)
Not seeing this is why developers should not assume they can wear the threat modeler hat.
Also, when you are a B2C like ransonware folks are, it is very hard to make the victim get bitcoins even if their life depends on the data you are holding hostage. Using weechat in china gets them zero attrition.
Ironically, because of government reach and close technology company collaboration, including significant minority stakes in such companies, it would seem that malware groups operating in China have to be a lot better than their counterparts operating in other countries to remain at large for very long.
Russia is probably the best bet, not China. No extradition and pay FSB their share, and you may have the best chance on earth to get away with these things.
1. Sends money to a centralized service that can track his account, must share info with Chinese government
2. Forgot to register domain privately
3. Instead of using DES or RSA, he just XOR’d the file with a key he hard coded in the file
4. He apparently left his name a and phone number in the code?
5. When they looked at what servers it was pinging, they were able to gain access because it had not been properly secured
Am I missing anything else?