Iranian Malware BlackRouter – evolved as a Ransomware

January 17, 2020
black router iranian malware ransomware trojan blackrouter

BlackRouter, a ransomware recognized in 2018 is currently being endorsed as a Raas by its maker. The individual behind BlackRouter, known as “MOH3NE2”, is accepted to be of Iranian origins.

This ransomware was identified by a cybersecurity scientist Petrovic and is found to have enhanced highlights, for example, a clock and an alternate GUI over the past rendition – Blackheart.

Security researchers detailed that the ransomware was being publicized as RaaS on a Telegram hacking station. The Iranian engineer, MOH3NE2, was found advancing the ransomware improvement as a ‘remote-controlled undertaking’ and promising to pay 80 percent of payment cash to clients who take an interest in the advancement of the ransomware.

Then again, a similar designer was additionally advancing a trojan called BlackRat. This trojan gives highlights, for example, taking digital money, and document encryption, among others.

Much the same as some other ransomware, BlackRouter contaminates frameworks once clients peruse pernicious sites intentionally or unwittingly. At that point, it downloads two documents into the framework and starts the encryption procedure.

At the point when BlackRouter was first found, it spread through a contaminated form of a well-known remote access application called AnyDesk. In this way, the principal record is an executable document for a more seasoned rendition of AnyDesk, and the second document contains the BlackRouter ransomware.


When the AnyDesk executable is executed, BlackRouter starts encoding records and organizers out of sight. When done, it shows a payoff note to the person in question.


Prior episodes demonstrated $50 as the payoff, yet the most recent adaptation of Blackrouter solicits a payment from $300 to be paid into two records. Be that as it may, BlackRouter occurrences are apparently discovered less in number. With the improvement of the RaaS adaptation, it might spread on remote access applications through other programming separated from AnyDesk.



About the author

Leave a Reply