FANDOM


WannaLocker is an imposter of WannaCry that targets Android users in China. 

Payload

Transmission

WannaLocker has been spotted spreading in Chinese game forums. It is presented as a plugin for the King of Glory (王者荣耀) – a very popular game in China. The malicious file is named as “com.android.tencent.zdevs.bah.” Then users are misled and download this file, WannaLocker enters the device and starts its hazardous task.

Infection

On the affected device, ransomware replaces the wallpaper to the anime image. Then it encrypts targeted files with AES encryption and appends a unique file extension which is the string of random symbols. Once all files are encrypted, the malware runs a ransom-demanding window that looks similar to WannaCry’s. It provides information about encrypted data and possibilities to recover them in the Chinese language.

WannaLocker ransomware asks to pay 40 Chinese Renminbi and contact them as soon as the transaction is made. They will provide necessary decryption key and sets corrupted files free. Meanwhile, two timers in the ransom note show how much time has left until the size of the ransom doubles and when users lose their records entirely.

WannaLocker is designed to encrypt files on the external storage of the affected device. This unique technique has been used by another mobile ransomware – SimpLocker. What is more, malware is designed to encrypt only those files that do not start with a “.” Meanwhile, files that are located in DCMI, download, miad, android and com. direcotories are not in the target field of the ransomware as well. It also does not encrypt files that are bigger than 10 KB.

Community content is available under CC-BY-SA unless otherwise noted.