The First Bitcoin Ransomware Case in China Was Cracked, With a Profit of 5 Million in Three Years

Recently, the first Bitcoin ransomware developer in China, Ju, was successfully captured by the Nantong police in Jiangsu. In three years, Ju has illegally earned more than 5 million yuan by using network ransomware.

On October 8, according to a report from the local police in Nantong City, Jiangsu Province, during the "Net Cleaning 2020" campaign,A major online extortion case was successfully cracked, and three suspects, Ju, Xie and Tan, were arrested.

The suspect Ju, the creator of multiple Bitcoin ransomware viruses,They have successfully committed more than 100 crimes and illegally obtained Bitcoins worth more than 5 million yuan.

Virus ransomware: Want your data? Exchange it with Bitcoin

In recent years, cyber ransomware has become rampant and difficult to prevent. Companies, institutions, and even universities around the world have been attacked by ransomware.

In April this year, the cash register system of a large supermarket in Qidong, Nantong City, Jiangsu Province was attacked. The system was paralyzed and unable to operate normally because of the ransomware virus implanted by hackers.

The supermarket immediately reported the case, and the Nantong Public Security Bureau and the Municipal Bureau's Cyber Security Department formed a special task force to conduct an investigation.The task force found a message in English that told the victim how to decrypt the file and required the victim to pay 1 Bitcoin (about RMB 47,000 at the time) as the decryption fee.

In addition, after conducting a data inspection on the supermarket's server, the Internet police found that all files in the server locked by the hacker were encrypted, and the file suffixes were changed to "lucky", and the files and programs could not run normally. In the root directory of the C drive, there was an automatically generated text document with the hacker's Bitcoin payment address and email contact information.

Subsequently, despite the extensive work done by the task force, there was still no progress. There were no clues to be found, and the investigation came to a standstill.

According to Xu Pingnan, deputy captain of the Third Brigade of the Nantong Public Security Bureau's Cyber Security Brigade,"Since Bitcoin is traded through overseas websites, it is difficult to trace, and the identity of the initiator of the attack is often a mystery."

The supermarket sought help from a data recovery company, which turned out to be a clue to solving the case

Just when the police were at a loss as to where to start, there was a glimmer of hope in the case.

Since the locked server of the supermarket contained important work data, if it was formatted, the loss would be huge. Therefore, the supermarket staff contacted a data recovery company and commissioned it to unlock the encrypted files at a price lower than the ransom (1 Bitcoin).

Later, this data recovery company miraculously succeeded in decrypting the server data.

After the police learned of this situation, they thought there might be something else going on.Generally speaking, ransomware invades computers and encrypts files or systems. Each decryptor is newly generated based on the characteristics of the encrypted computer. Without the virus maker's secret key, it is almost impossible to complete the decryption.

But after further investigation, the data recovery company was ruled out as a suspect.

It turns out that the data recovery company was able to recover the data because they contacted the hacker via email and paid 0.5 bitcoins to obtain the unlocking tool, thereby completing the task and earning the difference.

The task force obtained new clues through the data recovery company and in-depth research and analysis, and successfully identified the real identity of the suspect as Ju. At this point, the case investigation work finally made significant progress.

On May 7, the task force arrested Ju in Weihai, Shandong, and seized the computer used to commit the crime at his residence. In Ju's computer, the police found relevant email records, Bitcoin transaction records, and the source code of related ransomware tools.

Ju confessed that he developed a website vulnerability scanning software, and after obtaining relevant control permissions, he implanted the ransomware in a targeted manner. In order to avoid being cracked and evading the investigation of the public security organs, Ju successively developed and upgraded 4 types of ransomware.They demanded bitcoins that were difficult to trace as ransom, using overseas network storage and email addresses.

Before the Jiangsu police arrested the suspect,Ju has implanted ransomware into more than 400 websites and computer systems. The victims are from more than 20 provinces and involve multiple industries such as business, medical care, and finance.

Among them, a listed company in Suzhou was forced to shut down for three days because a ransomware virus destroyed the database files used for its related work, causing the entire production system to be unable to operate normally, resulting in huge economic losses.

A self-taught person who turned to crime

This Jumou can be said to be a self-taught expert who was delayed by his "career" of extortion.

It is understood that Ju was born in Chifeng, Inner Mongolia and is 36 years old this year.He has been interested in and self-taught computer knowledge since he was young, and is proficient in programming, website attack and defense and other technologies.

Afterwards, he set up a studio and used the software he developed to trade stocks. He made a lot of money at first, but ended up losing more than 3 million yuan.

Ju, who was heavily in debt, accidentally learned about the way to make money by blackmailing with a ransomware virus, so he embarked on the path of developing virus programs.

Starting from the second half of 2017,Ju has been researching ransomware viruses such as "Satan" and the vulnerability exploit program "Eternal Blue", and wrote the "satan_pro" virus program to commit crimes.

In 2018, a customer who was infected with the virus requested a data decryption company to decrypt the data. The ransom note was as follows:

According to Ju, in order to avoid cracking and evading the police's pursuit,After "satan_pro", he successively upgraded and developed four ransomware viruses: "nmare", "evopro", "svmst" and "5ss5c".The supermarket cash register system that was attacked in Nantong, Jiangsu was infected with the "nmare" virus.

In addition to demanding untraceable Bitcoins as ransom,Ju also sent the decryption software to the victims through overseas network disks and emails, and changed it frequently. The bitcoins he obtained were also traded through overseas websites.

For Ju, his flawless plan was a "perfect crime", but he ultimately failed to escape police investigation. During the crime, two data recovery company operators, Xie and Tan, who worked with him, were also arrested on suspicion of extortion.

I wonder what this guy feels now that he is in prison. If he had used the knowledge he learned to become a network security engineer, his life would have been completely different.

Perhaps one day in the future, he will still remember behind bars the excited and pure self he was when he typed the first line of code many years ago.

News Source:

Sina Finance:The first Bitcoin ransomware creator in China was arrested: He once forced a listed company to shut down for 3 days.

Nantong Public Security WeChat Official Account:"The first Bitcoin ransomware creator in China was arrested! Nantong cracked a major case of using viruses to extort money"

-- over--