Legitimate Application AnyDesk Bundles with New Ransomware Variant

Legitimate Application AnyDesk Bundles with New Ransomware Variant (May 1, 2018)

A new ransomware, dubbed “Blackheart,” was identified bundled together with the legitimate remote desktop application “AnyDesk,” according to Trend Micro researchers. In addition, researchers note that while the initial infection vector is unknown, they have observed cases in which users unknowingly downloaded Blackheart upon visiting a malicious website. Once the ransomware is executed, it will drop and execute two additional files, the ransomware executable and an AnyDesk executable. The threat actors behind this campaign are demanding 0.06164 bitcoins (approximately $50 USD) for the decryption key.

Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place in addition to a business continuity policy in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.