Cyber Incident Victim: Peoples Government of Yiling District

On March 11, 2019, the People’s Government of Yiling District in Yichang, China, reported a ransomware attack targeting government officials via malicious emails. The attackers used emails with the subject line “You must report to the police at 3:00 pm on March 11!” containing a compressed attachment named “03-11-19.rar.” This file deployed version 5.2 of the Gandcrab ransomware, which encrypted the hard disk data of infected systems. Victims were instructed to download the Tor browser to access a payment portal demanding cryptocurrency ransom. The National Network and Information Security Information Center identified the campaign as originating from overseas hackers, noting the attacks began on March 11 and specifically targeted government department websites. While the full scope of compromised systems remained unclear, multiple government hard drives were confirmed infected.

The Chinese government issued warnings to all departments following the incident, with one anonymous official confirming receipt of alerts and suggesting nationwide notifications. The official noted frequent cybersecurity advisories but highlighted this as the first documented ransomware attack against Chinese state entities involving cryptocurrency demands. One malicious email used the sender name “Min, Gap Ryong,” a Korean name leading to unconfirmed suspicions of North Korean involvement. No further technical details about containment efforts, decryption success rates, or financial losses were disclosed in the available statement. The incident underscored the targeting of governmental digital infrastructure and the operational use of Gandcrab ransomware in politically motivated campaigns.