A forum of IOBit, a developer of anti-malware and anti-virus programs for the Microsoft Windows operating system, was compromised to distribute the DeroHE ransomware to its forum members.
According to BleepingComputer, over the weekend, IObit forum users started receiving emails ostensibly from IObit offering a free 1-year license to their software as a special bonus of being a forum member. The email contained a link that led to a forum webpage, which was distributing a .zip file containing digitally signed files from the legitimate IObit License Manager program, but with the IObitUnlocker.dll replaced with an unsigned malicious version.
Once executed, the malicious IObitUnlocker.dll would install the DeroHE ransomware to C:\Program Files (x86)\IObit\iobit.dll and execute it. As per Emsisoft researcher Elise van Dorp, who analyzed the ransomware, the malicious software adds several Windows Defender exclusions to allow the DLL to run.
When encrypting victims, the DeroHE ransomware will append the .DeroHE extension to encrypted files and append a string of information to the end of the file. The ransomware creates two files, one of which is named FILES_ENCRYPTED.html and contains a list of all encrypted files, and the other is a READ_TO_DECRYPT.html ransom note.
This ransom note promotes a cryptocurrency called DERO and instructs the victim to send 200 coins, worth about $100, to the address included in the note to receive a decryptor. The note also includes the ransomware's Tor payment site, a message on which states that IObit can send $100,000 in DERO coins to decrypt all victims, because, as per the attackers, it is IObit’s fault that victims’ computers got infected.
At the time of writing, IObit did not provide any statements regarding the issue. It is unknown, how the hackers managed to compromise the forum to host malware, but it is possible that they gained access to an administrative account.
Just this week, OpenWrt Project revealed a security breach, in which attackers gained access to an administrator account on the OpenWrt forum and stole a copy of the user list that contains email addresses, handles, and other statistical information about the users.