Home Malware Programs Ransomware Beijing Ransomware

Beijing Ransomware

Posted: October 26, 2020

The Beijing Ransomware is a file-locking Trojan with significant ties to previous ones, such as Hermes Ransomware and LeakTheMall Ransomware. The Beijing Ransomware uses the AES encryption for locking the user's digital media files before demanding a ransom through a text message. Users with anti-malware solutions should remove the Beijing Ransomware through them immediately before retrieving their work from their latest backups.

A Greek God Strikes Out at China's Capital

Updates to the Hermes Ransomware family of 2017 may or may not use the same ransom notes as the older versions of that Trojan. Whether their wording differs or not, variants like the Beijing Ransomware stay just as potent at blocking files, with the usual, AES algorithm-based encryption attacks. For now, malware experts have yet to narrow down the geographical scope of this new update's campaign, which could circulate just as quickly outside of China as inside.

The Beijing Ransomware's campaign runs alongside a similarly-dated one by the Montana Ransomware, another member of this family – and even older examples include the MARRACRYPT Ransomware, the Ryuk Ransomware and RYK Ransomware. Although some variants include changes to the underlying Trojan's code, the Beijing Ransomware is mostly-identical to its immediate ancestor, LeakTheMall Ransomware. This family targets Windows systems with its data-blocking and extortion features.

The Beijing Ransomware is capable of locking most media formats on users' computers and does so through a secure AES encryption routine. It also includes an extension-adding feature with the non-capitalized 'beijing' string and a '!RECOVER' text note. The message retains most of the grammar errors from old versions of the family. The only changes of importance are the criminals' e-mail addresses, using free services like AOL.

Paying the ransom is still inadvisable, but victims may consider any free decryption demos cautiously, understanding that any returned files from threat actors are also security risks and potential attacks.

Canceling Capital-Themed Computer Crises

The Beijing Ransomware family is notorious for targeting some high-end institutions, such as Taiwan's SWIFT. Its deployment is just as likely of being a 'distraction' from other attacks as it is an extortion campaign goal. Although malware experts find the Beijing Ransomware's encryption routine well-analyzed, using AES with a public library and RSA security, there isn't a free unlocking or decryption solution to it. Users depend on their backups for recovering documents and other media from any infections.

Some targets of campaigns from this family experience infections through zero-day exploits that aren't fixable by patches. However, most users that maintain strong passwords and update their software should be at low risk. Malware experts also point to features such as documents' macros, browsers' JavaScript and Flash as likely vulnerability triggers.

Installations of this Trojan may show some symptoms, such as UAC prompts, which variants of the Hermes Ransomware don't disable necessarily. Otherwise, the presence of anti-malware software is necessary for stopping infections or deleting the Beijing Ransomware.

The Beijing Ransomware might call itself after China's most important city, which offers a sharp cultural swerve from the first Hermes Ransomware. Still, it doesn't need to confine itself to Asia, and virtually any Windows environment with files worth the ransom is worthy of another headline-making attack.

Loading...