Go to listing page

Iranian developer touts BlackRouter ransomware as RaaS

Iranian developer touts BlackRouter ransomware as RaaS
  • BlackRouter ransomware was discovered back in May 2018 and targeted remote access application AnyDesk.
  • It was now seen promoted by an Iranian developer on a Telegram channel.

BlackRouter, a ransomware identified in 2018 is now ramped up as a Raas by its creator. The person behind BlackRouter, known as “MOH3NE2”, is believed to be of Iranian origin.

This ransomware was detected by a cybersecurity researcher Petrovic and is found to have improved features such as a timer and a different GUI over the previous version Blackheart.

Endorsed as RaaS

Bleeping Computer reported that the ransomware was being advertised in the form of RaaS on a Telegram hacking channel. The Iranian developer, MOH3NE2, was found promoting the ransomware development as a ‘remote-controlled project’ and promising to pay 80 percent of ransom money to users who participate in the development of the ransomware.

On the other hand, the same developer was also promoting a trojan called BlackRat. This trojan provides features such as stealing cryptocurrency, and file encryption, among others.

Preying on AnyDesk

Just like any other ransomware, BlackRouter infects systems once users browse malicious websites knowingly or unknowingly. Then, it downloads two files into the system and begins the encryption process.

When BlackRouter was first discovered, it spread through an infected version of a popular remote access application called AnyDesk. Therefore, the first file is an executable file for an older version of AnyDesk, and the second file contains the BlackRouter ransomware. As soon as the AnyDesk executable is executed, BlackRouter begins encrypting files and folders in the background. Once done, it displays a ransom note to the victim.

Earlier incidents showed $50 as the ransom, but the latest version of Blackrouter asks a ransom of $300 to be paid into two accounts. However, BlackRouter incidents are reportedly found less in number. With the development of the RaaS version, it may spread on remote access applications through other software apart from AnyDesk.

Cyware Publisher