DeroHE Ransomware

The DeroHE Ransomware is a file-locking Trojan that has no known family. The DeroHE Ransomware campaign uses targeted e-mail tactics that trick Web forum members into installing the Trojan by mistake, such as through promotional messages for a fake IObit software license. Users should avoid compromised sites until their companies confirm re-securing them, have backups for recovery of any locked files, and let anti-malware services remove the DeroHE Ransomware and stop its known infection exploits.

Custom-Made Trojans for Customer-Specific Tactics

Contrasting most families of file-locking Trojans, independent ones usually aren't very well-made, programmed, or distributed professionally. The DeroHE Ransomware is an excellent standout of a contrary example: a Trojan outside of Ransomware-as-a-Services and other families, but with well-crafted tactics and payloads. However, the DeroHE Ransomware's eventual modus operandi is nothing more than encrypting files and extracting a ransom out of desperate victims.

The DeroHE Ransomware's story begins with the apparent hacking of an IObit forum admin account. The threat actor then sent crafted e-mail messages promoting a 'free' and forum-user-exclusive, year-long subscription to IObit products, such as its security or optimization applications. The link leads to an iobit.com download of a ZIP archive with the DeroHE Ransomware, which includes collected signatures for IObit's License Manager.

Windows users who fall for this deft con will experience similar side effects to those of other file-locking Trojans, a la Scarab Ransomware, or Hidden Tear. The DeroHE Ransomware blocks media files with encryption that malware experts classify as secure currently and adds extensions to their names ('DeroHE,' which references the ransom's cryptocurrency), and creates an unusual HTML ransom note. The note offers victims several ways of paying for data recovery, including getting IObit to pay a much higher ransom or a free social networking activity that generates ad revenue or other benefits for the attackers presumably.

Alternatives to Taking Downloads at Their Word

The DeroHE Ransomware's campaign is an extreme case of an attack that compromises official, safe websites and converts them into hot spots for Trojans' distribution. As usual, malware experts recommend avoiding unusual e-mail links or attachments and downloads inside archives, which is a warning sign of obfuscation. Many security programs will detect the DeroHE Ransomware, although rates are low against more-traditional file-locker Trojans comparatively.

Backups remain a crucial element for stopping the DeroHE Ransomware's attacks from inflicting permanent damage to files. While criminals may or may not honor any bargains they make during the extortion, free decryption is a rare option for the lucky few. Windows users should save backups onto removable drives and password-protected servers for the best security.

Malware analysts recommend keeping security solutions' databases well-patched, which will reduce inaccurate or missing detection rates for threats. Well-maintained security products should delete the DeroHE Ransomware in most cases.

The work that the DeroHE Ransomware's Dero-hoarding threat actor places in this campaign is no fluke. Competing against Ransomware-as-a-Services requires a well-thought-out model for doing business. It seems that at least one criminal settles on advanced social engineering for targeted customer demographics.