New player ransomware – DeroHe has recently added to their victim an established computer utility developer on their list. Their recent victim is the IOBit company that started in 2004, developing various applications that focus on computer optimization and virus/malware protection.
According to the report, the attack was orchestrated to the group forum of IOBit wherein partners and users interact with the developer for sustainable growth of the application through comments and suggestions and test users. The analysis confirmed that the perpetrator got hold of an administrator account of the forum via the vulnerability found on vBulletin 5.6.1 – the platform used by IOBit for their forum. Thus, the perpetrator staged the attack through remote access by posting a misleading special promo to all users equipped with the ransomware.
The promotional offer includes a 1-year free license of use for the bundle application of IOBit which enticed most users to install the package. As per the investigation, the ransomware was sophisticatedly crafted.
It mimics the GUI and the executable extension of the official application of IOBit except for the unsigned DLL of the file package the malicious code is embedded.
To ensure that the ransomware will be properly executed on the system, the installer package includes a warning message to wait until the installation has been completed. Unknowingly to the user, the wait time is being used by the ransomware to encrypt essential data on the victim’s computer in the background. Upon completion, the ransomware will create a list of files that have been encrypted and the ransom notes that are displayed on the computer’s desktop.
The DeroHe ransomware was named after the new digital currency Dero wherein their victims were asked to pay the ransom to the perpetrator’s Dero account using Homomorphic Encryption type. In the case of IOBit, the company was asked to pay 100000 Dero coins for the attacker to decrypt the files of affected users in the forum or for a single user to pay 200 Dero coins which is equivalent to 100 USD with a promise of a return of investment of 500 USD in case that the Dero currency becomes famous and reached its goal of 100 USD per coin.
Most affected users have already expressed their frustration concerning the attack to different channels in the cybercommunity. With the attack being in circulation, the forum was said to be in chaos as instances of site unreachable and redirection to adult sites are in place due to malicious codes injected by the perpetrator. A few days ago, a message from the attacker posted again confirming that IOBit has not yet responded to their demand and threatened to continue the attack and data leakage is to be anticipated. This result for IOBit to shut down the forum to clean it from any impurities or remnants from the attacker that may be used for a possible repeat attack. IOBit did not release any official statement at this time about the incident and no other news from the attacker.