Inside a DIY Ransomware: How a Beginner’s E‑Language Malware Was Analyzed and Defeated

While fishing, the author received an urgent request from a reader whose computer was infected by a ransomware. The malware was sent as an executable written in 易语言 (E‑Language) and masqueraded as a QQ bulk‑registration tool, even including a document that urged users to disable security software.

Running the program in a VMware Fusion VM immediately blackens the screen and displays a full‑screen ransom note demanding 30 CNY, with a taunting message and a QQ contact number.

The author notes that switching between the VM and the host macOS causes the Windows resolution to reset, exposing that the ransom window is a simple top‑most window that does not adapt to resolution changes.

In the VM, the ransomware can be stopped by opening Task Manager and terminating its process, but on a real machine the lack of automatic resolution adjustment may prevent this method.

After a reboot, the malware adds a new local user named admin with password asdfghjkl and changes the existing Administrator account password to 69. Screenshots show the new account and password entries.

Analysis Process

The investigation focused first on the user‑creation functionality. Although the program is written in E‑Language, it ultimately calls Win32 APIs. The import table revealed no direct user‑management functions, so the author searched for the string admin and discovered that the malware simply executes command‑line instructions via cmd.exe.

The plaintext command line also reveals the credentials:

admin: asdfghjkl Administrator: 69

While the admin password is obvious, the meaning of 69 remains unclear. Entering these credentials grants access, but the ransomware window reappears, indicating that a persistence mechanism (likely a startup entry) is in place.

To locate the password‑validation routine, the author set breakpoints on GetWindowText (reads the password field) and SetWindowText (writes the “password incorrect” message). Tracing the call stack quickly isolates the verification code.

During this step, another string identical to the admin password ( asdfghjkl) was found next to the error message. Entering this string into the password box instantly unlocks the system, exposing the ransom password in clear text.

Tips for Dealing with Similar Ransomware

Even though this ransomware is poorly written, it can still cause trouble for ordinary users. The following steps can help mitigate the infection:

Safe Mode

Boot Windows into Safe Mode, where most startup programs and drivers are disabled, allowing you to delete the malicious executable and related files.

Boot from USB

If the malware persists in Safe Mode, create a bootable USB drive with a WinPE environment, adjust the BIOS boot order, and start from the USB. In WinPE you can access the hard drive and manually remove the ransomware files.

Finally, regular backups to cloud storage or external drives remain the most reliable defense against ransomware.