BlackRouter, a ransomware identified in 2018 is now ramped up as a Raas by its creator. The person behind BlackRouter, known as “MOH3NE2”, is believed to be of Iranian origin.
This ransomware was detected by a cybersecurity researcher Petrovic and is found to have improved features such as a timer and a different GUI over the previous version Blackheart.
Endorsed as RaaS
Bleeping Computer reported that the ransomware was being advertised in the form of RaaS on a Telegram hacking channel. The Iranian developer, MOH3NE2, was found promoting the ransomware development as a ‘remote-controlled project’ and promising to pay 80 percent of ransom money to users who participate in the development of the ransomware.
On the other hand, the same developer was also promoting a trojan called BlackRat. This trojan provides features such as stealing cryptocurrency, and file encryption, among others.
Preying on AnyDesk
Just like any other ransomware, BlackRouter infects systems once users browse malicious websites knowingly or unknowingly. Then, it downloads two files into the system and begins the encryption process.
When BlackRouter was first discovered, it spread through an infected version of a popular remote access application called AnyDesk. Therefore, the first file is an executable file for an older version of AnyDesk, and the second file contains the BlackRouter ransomware. As soon as the AnyDesk executable is executed, BlackRouter begins encrypting files and folders in the background. Once done, it displays a ransom note to the victim.
Earlier incidents showed $50 as the ransom, but the latest version of Blackrouter asks a ransom of $300 to be paid into two accounts. However, BlackRouter incidents are reportedly found less in number. With the development of the RaaS version, it may spread on remote access applications through other software apart from AnyDesk.
Publisher