Threat Management, Malware, Ransomware

BLACKHEART ransomware uses legit AnyDesk tool as an unwitting accomplice


A nearly discovered ransomware program drops its malicious payload alongside the perfectly legitimate AnyDesk remote desktop tool, possibly as a means to evade detection, according to researchers.

A sample of the malware, detected as RANSOM_BLACKHEART, was found to generate a ransom note demanding a modest sum of $50 in bitcoins in exchange for decrypting affected files, Trend Micro reports in a May 1 blog post. The company refers to BLACKHEART as a "fairly common ransomware, with a routine that encrypts a variety of files that use different extensions as part of its routine."

While it's known that BLACKHEART infects its victims via malicious sites, the company does not at this time understand the specifics of that process. Trend Micro also found a similar sample that bundled AnyDesk with the keylogger TSPY_KEYLOGGER.THDBEAH instead.

Developed by AnyDesk Software GmbG in Germany, AnyDesk providers users with bidirectional remote access between personal computers running on various operating systems and unidirectional access on the Android and iOS mobile platforms. Other features include Transport Layer Security, file transfers and client-to-client chat.

"We believe bundling AnyDesk with the ransomware might be an evasion tactic," the blog post explains. "Once RANSOM_BLACKHEART is downloaded, AnyDesk will start running in the affected system's background -- masking the true purpose of the ransomware while it performs its encryption routine."

Trend Micro researchers also speculate that cyber offenders may be experimenting with AnyDesk as an alternative to TeamViewer, a similar tool that has previously been abused by ransomware -- although in that case, it was confirmed that TeamViewer connections were actually used to install the malicious code.

Trend Micro reports that AnyDesk "has acknowledged the existence of the ransomware, and has stated that they will be discussing possible steps they can take."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.