Researchers have discovered a new strain of ransomware called Blackheart that comes bundled with the legitimate, remote desktop tool AnyDesk to evade detection. AnyDesk is a popular, cross-platform remote desktop connection tool application that provides users with bidirectional remote access between personal computers running on various operating systems and unidirectional access on Android and iOS platforms. It also includes several useful features such as file transfers, client-to-client chat and session recording.
According to Trend Micro researchers, Blackheart is a "fairly common ransomware, with a routine that encrypts a variety of files that use different extensions as part of its routine."
It is still unclear about how the ransomware reaches the victim's system. However, researchers noted that users can download the ransomware while visiting compromised or malicious websites. Since the application is legitimate, the victim is unaware of the bundled consequences that arrive with the seemingly safe, downloaded package.
Once downloaded and executed RANSOM_BLACKHEART drops and executes two files - one of which is the legitimate AnyDesk software while the other is the ransomware. In this case, the attacker was found deploying an older version of AnyDesk. Once the ransomware is downloaded, AnyDesk starts running in the background to distract unsuspecting users while the ransomware quietly begins its encryption routine.
The ransomware otherwise employs similar exploitation methods used by other ransomware and demands a modest sum of $50 in Bitcoins in exchange for decrypting the victim's files. The encrypted files will contain (.BlackRouter) extension to them. The ransom note can be found on all the drives and desktop with file name ReadME-BlackRouter.txt. A screen shot of the ransom note is seen below:
Image Credit: Trend Micro
Researchers are unsure about whether the attackers actually stick to their promise of decrypting files upon successful payment. The AnyDesk team has already confirmed the existence of the malware bundle and are working to solve the issue at the earliest.
In March 2016, another strain of ransomware named Surprise was found bundled with the popular, legitimate Teamviewer application.
An incident in March 2016 involving a similar ransomware named Surprise, which was bundled with the Teamviewer application. TeamViewer is a popular remote desktop connection tool used by more than 200 million users around the world.
"We believe bundling AnyDesk with the ransomware might be an evasion tactic," researchers noted. "Cybercriminals may be experimenting with AnyDesk as an alternative because Teamviewer’s developers have acknowledged its abuse, and have also included some anti-malware protection in some of its tools."