Bleeping Computer reports that the forum of the IObit company, which develops various utilities for Windows, was hacked last weekend. Now the DeroHE ransomware is distributed among the users of the official forum.
The problem was noticed when members of the IObit forum began to receive emails on behalf of the company, which stated that as a gift, users were entitled to a free one-year license for their software.
The link in the letter, which allegedly led to a free license, actually redirected the victims to https://forums.iobit[.]com/promo.html. Currently, this page no longer exists, but at the time of the attack it distributed the file free-iobit-license-promo.zip (VirusTotal).
When IObit License Manager.exe was launched, the malicious IObitUnlocker.dll was also launched, and as a result, all this led to the installation of the DeroHE ransomware in C:\Program Files(x86)\IObit\iobit.dll (VirusTotal) and its execution.
Since most of the executable files were signed with an IOBit certificate, and the archive was hosted on the company’s website, users willingly installed malware, believing that they had received a gift from the company, while the trick left unnoticed. Judging by the posts on the IObit forum, the attack targeted all forum members.
Bleeping Computer reporters have studied the ransomware, and write that, judging by the ransom note titled “Dero Homomorphic Encryption”, the malware is promoting the DERO cryptocurrency. To decrypt files, the victims are asked for 200 tokens worth about $100.
Moreover, the ransomware note contains a link to their onion site (http://deropayysnkrl5xu7ic5fdprz5ixgdwy6ikxe2g3mh2erikudscrkpqd.onion), where hackers not only accept payments but also offer IObit to pay 100,000 DERO to decrypt all users at once. The hackers claim that everything that happened is IObit’s fault, and therefore the company should pay.
Even worse, the company’s forums are still compromised and dangerous. Visiting them returns a 404 error, but in the browser arrive messages with prompts to subscribe to notifications. If you agree to receive notifications, they will really start coming, and mostly it will be ads for adult sites, malware and other unwanted content.
In addition, clicking anywhere on the page will open a new tab that also displays ads for adult sites. Other sections of the site seem to be compromised as well and are redirecting to porn sites too.
The malicious script that hackers have embedded on the pages of the IObit website can be seen below.
Representatives of the IObit company have not yet commented on the incident and are not responding to requests from journalists.
As a reminder, we wrote that the authors of the ransomware Ryuk have already earned more than $150 million.
