Ransomware delivered through hacked IObit emails and forums

DeroHE ransomware spread camouflaged as promotional IObit software

Forum members receive promotional emails leading to ransomware infections

During the weekend, IObit, a company specializing in various Windows utilities, was hacked.^[1] All its forum members received promotional emails from what seemed like legitimate company email, offering them a free one-year license for any of their software.

The promotion isn't real. Hackers are using IObit forums to spread spam emails.^[2] The download links contain DeroHE ransomware, which encrypts all personal files (pics, documents, archives, databases, etc.), renames them by appending a .DeroHE extension and creates ransom notes with details on how to regain access to the locked files.

Spam emails have originated from webmaster@iobit.com, but there might be other emails used for the purpose. So if you're a member of the IObit forum, please don't get tricked by this too good to be true promotion, and don't click any download links for the offered software.

Examination of the DeroHE ransomware

According to reports,^[3] whoever clicked on the “GET IT NOW” button in the email, were redirected to hxxps://forums.iobit.com/promo.html, which isn't operational anymore. Afterward, an archive from hxxps://forums.iobit.com/free-iobit-license-promo.zip was downloaded to the device in use.

The archive contained digitally signed files from the IObit License Manager app but with a slight twist. The IObitUnlocker.dll was replaced with malicious scripts, so when users launched the manager, the altered DLL installed DeroHE ransomware on the device.

Since the email looked valid and the software offer seemed to be legitimate due to signed certificate, many IObit forum members were tricked into falling right into cybercriminals' trap – their files were encrypted.

In the ransom note titled FILES_ENCRYPTED.html and READ_TO_DECRYPT.html, victims are given a few options to regain access to the locked data. Since hackers blame the IObit company for the ransomware spread, they suggest that victims push IObit to pay the hackers $100,000 in cryptocurrency Dero. If that's done, they swear that they will send the necessary decryption tools to every impacted user for free. As they state in the said notes:

Tell iobit.com to send us 100000 (1 hundred thousand) DERO coin to this address. dERopYDgpD235oSUfRSTCXL53TRakECSGQVQ2hhUjuCEjC6z SNFZsRqavVVSdyEzaViULtCRPxzRwRCKZ2j2ugCg26hRtLziwu

After payment arrive, all encrypted computer (including yours) will be decrypted. THIS IS IOBIT's FAULT for your computer got hacked.

The other option is to transfer 200 coins (approx. $100) in said cryptocurrency to the crypto wallets of the assailants. It's not known whether the locked files can be easily decrypted, but dealing with the criminals might be dangerous. We highly advise against contacting them or paying the ransom.

VirusTotal has reported^[4] that only 19 out of 68 anti-virus engines have recognized malicious activity and prevented the ransomware from infecting the device. That just reiterates the need for a professional anti-malware tool to watch your back.

Hacked IObit forum is injected with malicious scripts

Apparently, the company managed to take down the download link for the fake promotion, but its forum is still compromised with malicious scripts. Forum members are pushed to subscribe to notifications, which would bombard their computers with ads promoting adult, gambling websites, malicious software, and other dangerous content.

Additionally, if the forum visitors click anything while visiting the site, a new tab will pop-up, promoting the same adult websites. We advise refraining from using the IObit forum until the company sorts out all the issues related to this hack.

If you clicked the fake promotion link and downloaded malware then refer to our article,^[5] where our cybersecurity research team provides detailed instructions on how to remove DeroHE ransomware correctly.