According to Trend Micro researchers a new ransomware strain called Blackheart drops its payload alongside the perfectly legitimate AnyDesk remote desktop tool, highly likely as a way to evade detection.
This isn’t the first time that a malware abused a similar tool. TeamViewer, a tool with more than 200 million users, was abused as by a previous ransomware that used the victim’s connections as a distribution method.
Trend Micro researchers are guessing that cyber offenders are likely testing with AnyDesk as an alternative to TeamViewer, a similar tool that has previously been abused by ransomware.
In this instance, however, RANSOM_BLACKHEART bundles both the legitimate program and the malware together instead of using AnyDesk for propagation.
A sample of the malware, detected as RANSOM_BLACKHEART, was found to generate a ransom note demanding a modest sum of $50 in bitcoins in exchange for decrypting affected files, Trend Micro reports in a May 1 blog post. The company refers to BLACKHEART as a "fairly common ransomware, with a routine that encrypts a variety of files that use different extensions as part of its routine."
Like TeamViewer, AnyDesk is developed in Germany, and the product gives you bidirectional remote access between personal computers running on various operating systems and unidirectional access on the Android and iOS mobile platforms.
Trend Micro researchers speculate that cyber offenders may be experimenting with AnyDesk as an alternative to TeamViewer, a similar tool that has previously been abused by ransomware -- although in that case, it was confirmed that TeamViewer connections were actually used to install the malicious code.
Trend Micro reports that AnyDesk "has acknowledged the existence of the ransomware, and has stated that they will be discussing possible steps they can take."
Free Ransomware Simulator Tool
How vulnerable is your network against a ransomware attack?
Bad guys are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?
KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 10 infection scenarios and show you if a workstation is vulnerable to infection.