A new ransomware is making rounds after the popular remote desktop tool, AnyDesk, was exploited. The ransomware, referred to as BlackRouter, spreads along with malicious payload to wreak massive damage.
Just like Teamviewer (which was also exploited previously), AnyDesk offers users bidirectional control between OS’ i.e. Linux, macOS, FreeBSD and Linux. However, it is not limited to desktop based OS alone, and also includes support for iOS and Android too.
Since BlackRouter is bundled with AnyDesk, which is a trusted tool, it manages to evade detection.
Understanding the Infection Process
How the ransomware works is that it needs to be downloaded with AnyDesk from the various third party sites out there.
Once downloaded and installed, BlackRouter copies two other files on the computer, in order to execute malicious processes, which are as follows:
- %User Temp%\BLACKROUTER.exe
- %User Temp%\ANYDESK.exe
AnyDesk.exe gives access to client to client chat, perform file transfers and also log sessions. But this is limited to an older version of AnyDesk, and not a new one. As for BLACKROUTER.exe, the ransomware encrypts systems into different types of extensions i.e. .xks, .gif, .pdf, etc.
Once the ransomware does what it is supposed to do, it will demand $50 worth of Bitcoin, after which access is apparently granted through Telegram. Additionally, it warns users to not shut down their computers, to prevent the encrypted files from locking forever.
For now, it is advisable to stay clear from any and all similar remote desktop sharing applications. As problematic as it is, it is the only solution for now. Also, make sure you use a VPN to remain secure and anonymous online, unless you want to be monitored by the wrong crowd. No? Didn’t think so.