Once RANSOM_BLACKHEART is downloaded, AnyDesk will start running in the affected system’s background - masking the true purpose of the ransomware while it performs its encryption routine. We believe bundling AnyDesk with the ransomware might be an evasion tactic. When it has accomplished its encryption routine, RANSOM_BLACKHEART will then drop a ransom note, in which the attackers demand $50 or 0.006164 BTC for decryption, in the following locations: BlackRouter extension to the affected file. Once it has found and encrypted a file, it will append the. It will search out and encrypts all files with these extensions in the following folders: Based on our analysis, we can determine that it's a fairly common ransomware, with a routine that encrypts a variety of files that use different extensions as part of its routine. The second file is the actual ransomware. "cmd.exe" /c vssadmin.exe delete shadows /all /quiet.It will also delete shadow copies via the following process: The AnyDesk user interface on the sample we analyzed Note that the version used by the attackers is an older version of AnyDesk, and not the current one.įigure 2. In addition, it can perform file transfers, provide client to client chat and can also log sessions. The files dropped by RANSOM_BLACKHEARTĪs noted earlier, the first file contains AnyDesk, a powerful application capable of bidirectional remote control between different desktop operating systems, including Windows, macOS, Linux and FreeBSD, as well as unidirectional access on Android and iOS. Once downloaded, RANSOM_BLACKHEART drops and executes two files:įigure 1. In this instance, however, RANSOM_BLACKHEART bundles both the legitimate program and the malware together instead of using AnyDesk for propagation.īundling a legitimate tool with ransomwareĪlthough the specifics of how RANSOM_BLACKHEART enters the system remains unknown, we do know that users can unknowingly download the ransomware when they visit malicious sites. TeamViewer, a tool with more than 200 million users, was abused as by a previous ransomware that used the victim’s connections as a distribution method. This isn’t the first time that a malware abused a similar tool. We recently discovered a new ransomware (Detected as RANSOM_BLACKHEART.THDBCAH), which drops and executes the legitimate tool known as AnyDesk alongside its malicious payload.
0 kommentar(er)
