Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally-identifiable data. It features high-fidelity machine learning to secure the gateway, endpoint data and applications, and protects physical, virtual, and cloud workloads.
Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. AnyDesk has acknowledged the existence of the ransomware, and has stated that they will be discussing possible steps they can take.
Note that we found another malicious sample that is very similar, but it's bundled with a keylogger (Detected as TSPY_KEYLOGGER.THDBEAH) instead of ransomware. Cybercriminals may be experimenting with AnyDesk as an alternative because Teamviewer’s developers have acknowledged its abuse, and have also included some anti-malware protection in some of its tools. Once RANSOM_BLACKHEART is downloaded, AnyDesk will start running in the affected system’s background - masking the true purpose of the ransomware while it performs its encryption routine. We believe bundling AnyDesk with the ransomware might be an evasion tactic. When it has accomplished its encryption routine, RANSOM_BLACKHEART will then drop a ransom note, in which the attackers demand $50 or 0.006164 BTC for decryption, in the following locations: BlackRouter extension to the affected file. Once it has found and encrypted a file, it will append the. It will search out and encrypts all files with these extensions in the following folders: Based on our analysis, we can determine that it's a fairly common ransomware, with a routine that encrypts a variety of files that use different extensions as part of its routine. The second file is the actual ransomware.
The files dropped by RANSOM_BLACKHEARTĪs noted earlier, the first file contains AnyDesk, a powerful application capable of bidirectional remote control between different desktop operating systems, including Windows, macOS, Linux and FreeBSD, as well as unidirectional access on Android and iOS. Once downloaded, RANSOM_BLACKHEART drops and executes two files:įigure 1.
In this instance, however, RANSOM_BLACKHEART bundles both the legitimate program and the malware together instead of using AnyDesk for propagation.īundling a legitimate tool with ransomwareĪlthough the specifics of how RANSOM_BLACKHEART enters the system remains unknown, we do know that users can unknowingly download the ransomware when they visit malicious sites. TeamViewer, a tool with more than 200 million users, was abused as by a previous ransomware that used the victim’s connections as a distribution method. This isn’t the first time that a malware abused a similar tool. We recently discovered a new ransomware (Detected as RANSOM_BLACKHEART.THDBCAH), which drops and executes the legitimate tool known as AnyDesk alongside its malicious payload.