Fake Software Promotion Used to Deploy Ransomware
IOBit is a US software company based in San Francisco that develops Windows utilities. According to their website, their utilities clean, optimize, speed up and secure PCs. However, IOBit forum users were getting anything but security from the company’s products over the last week. A week ago, IOBit forum users received emails pretending to be from the company that included a free software promotion. The emails stated that forum members were being awarded a free 1‑year licence for their IOBit products. However, when users clicked the “Get it Now” link, they downloaded a fake malware ridden software installer package instead. This fake package had been signed with legitimate certificates from IOBit’s License Manager. However, one of the legitimate dll files in the installer package had been replaced with an unsigned malicious dll file. When the victims ran the installer, the malicious dll file downloaded the ransomware dubbed DeroHE instead of a free licence. The hackers’ use of signed certificates allowed the fake installer package to bypass users’ Antivirus software. The DeroHE ransomware not only encrypts victims’ files, but it also corrupts file headers breaking them into fragments. This reduces the likelihood that the files can be successfully recovered without a decryption key. Consequently, victims would need to restore the encrypted files from backup to recover them.
Fake IOBit Promotion Well Crafted
Since most of the dll files were signed with legitimate certificates and the installer package was hosted on IOBit’s site, a large number of forum users who received the email were fooled by the promotion and believed that it was legitimate. As one forum user stated: “I’m usually a tech savvy guy and know better to download/run strange software, but everything looked legit (email address, artwork, link on their URL), so I downloaded the ‘freebie’ patch that all alleged to register my IOBit software. Hours later, my computer was completely trashed.”
Hackers Ransom Demand
For victims to have their files decrypted, the hackers are demanding $100 in DERO cryptocurrency, which equates to approximately US $66. Then over the weekend, the cybercriminals hacked into IOBit’s forums again to display a message demanding a ransom from the company itself. The hackers have demanded that the company pay $100,000 in DERO, which is approximately US $66,500. If the company pays this ransom amount, the hackers have promised to decrypt all victims’ PCs. The hackers have demanded this ransom from the company as they regard IOBit responsible for the compromise. They also threatened to hack the company yet again and leak the company’s data if the ransom is not paid. In a message posted on one of IOBit’s forums the hackers say: “Hello, your IObit have been hacked! A week has passed and your ‘antivirus’ company still doing nothing to secure their server! IObit send us 100000 DERO or more hacks and leaks to come.” Furthermore, the DeroHE Tor payment site states “After payment arrive, all encrypted computer (including yours) will be decrypted. THIS IS IOBIT’s FAULT to made your computer getting infected.” DeroHE is the first ransomware to require payment in the DERO cryptocurrency. A currency that describes itself as allowing secure and anonymous transactions.
IObit’s Response
IOBit has since shut down its forum website, which is built on a third-party platform. However, IOBit has not released an official statement regarding their forums coming under repeated attack. Nonetheless, Emma Chen of IOBit stated: “We immediately closed the whole forum and updated our database to stop the spread of the ransomware. And for now, we are trying to build an IObit forum with a new and safer platform.”
