A nearly discovered ransomware program drops its malicious payload alongside the perfectly legitimate AnyDesk remote desktop tool, possibly as a means to evade detection, according to researchers.
A sample of the malware, detected as RANSOM_BLACKHEART, was found to generate a ransom note demanding a modest sum of $50 in bitcoins in exchange for decrypting affected files, Trend Micro reports in a May 1 blog post. The company refers to BLACKHEART as a “fairly common ransomware, with a routine that encrypts a variety of files that use different extensions as part of its routine.”
While it’s known that BLACKHEART infects its victims via malicious sites, the company does not at this time understand the specifics of that process. Trend Micro also found a similar sample that bundled AnyDesk with the keylogger TSPY_KEYLOGGER.THDBEAH instead.
Developed by AnyDesk Software GmbG in Germany, AnyDesk providers users with bidirectional remote access between personal computers running on various operating systems and unidirectional access on the Android and iOS mobile platforms. Other features include Transport Layer Security, file transfers and client-to-client chat.
“We believe bundling AnyDesk with the ransomware might be an evasion tactic,” the blog post explains. “Once RANSOM_BLACKHEART is downloaded, AnyDesk will start running in the affected system’s background — masking the true purpose of the ransomware while it performs its encryption routine.”
Trend Micro researchers also speculate that cyber offenders may be experimenting with AnyDesk as an alternative to TeamViewer, a similar tool that has previously been abused by ransomware — although in that case, it was confirmed that TeamViewer connections were actually used to install the malicious code.
Trend Micro reports that AnyDesk “has acknowledged the existence of the ransomware, and has stated that they will be discussing possible steps they can take.”