Bitcoin Ransomware Cases and Police Crackdown in China

Bitcoin ransomware is a type of malware that, after infecting a computer, locks all files and displays a ransom dialog demanding payment in Bitcoin to restore access.

Recent years have seen a surge in ransomware attacks worldwide, affecting businesses, public institutions, and even universities.

One notable strain, WannaRen, encrypts almost every file on an infected system and appends the ".WannaRen" extension, threatening to double the ransom if payment is delayed.

In the "Clean Net 2020" operation, Jiangsu police captured the first known Bitcoin ransomware author, identified as Ju Mou, who had carried out over a hundred attacks and earned more than five million RMB in Bitcoin.

Ju Mou’s crimes included encrypting a supermarket’s cash‑register system (changing file extensions to "lucky") and demanding one Bitcoin (≈47,000 CNY) for decryption.

Investigators found that a data‑recovery company had negotiated with the hackers, paying 0.5 Bitcoin for a decryption tool and then charging victims a lower fee, effectively profiting from the crime.

On May 7, police arrested Ju Mou in Weihai, Shandong, seizing his computer, which contained email records, Bitcoin transaction logs, and the source code of the ransomware tools.

Ju Mou, a self‑taught programmer, had previously developed several ransomware families (including "satan_pro") after studying the EternalBlue exploit, targeting over 400 websites and systems across sectors such as finance, healthcare, and manufacturing.

Some victims chose to pay the ransom, while others suffered severe operational losses or even bankruptcy, illustrating the profound impact of ransomware on both large corporations and critical infrastructure.

To mitigate such threats, individuals are advised to patch vulnerabilities promptly, use strong passwords, back up important data regularly, avoid clicking unknown links, and refrain from downloading software from untrusted sources.