Tuesday, April 29, 2025
HomeRansomwareNew Ransomware Called "BlackRouter" Attack launched through Well-known Legitimate Remote Desktop Tool

New Ransomware Called “BlackRouter” Attack launched through Well-known Legitimate Remote Desktop Tool

Published on

SIEM as a Service

Follow Us on Google News

Newly discovered BlackRouter ransomware propagating thorough Well-known remote desktop tool called AnyDesk along with malicious Payload.

AnyDesk is widely used Remote Desktop Tool similar to Teamviewer that capable of bidirectional remote control between different desktop operating systems, including Windows, macOS, Linux and FreeBSD, as well as unidirectional access on Android and iOS.

Cybercriminals abusing AnyDesk to distribute the new BlackRouter ransomware with the AnyDesk tool package bundle to infiltrate the victim’s system.

- Advertisement - Google News

BlackRouter Ransomware bundle with legitimate tool might the technique that attackers used to evade the security software detection.

BlackRouter ransomware Infection Process

Initial propagation starts from vicitms who have been downloaded this ransomware unknowingly from the various malicious website or compromised sites that turned into a malware distribution medium.

Later ransomware dropped two different files into victims computer and execute it to perform the further malicious process.

  • %User Temp%\ANYDESK.exe
  • %User Temp%\BLACKROUTER.exe

First file contains AnyDesk that can perform file transfers, provide a client to client chat and can also log sessions. in this case, attackers using an old version of AnyDesk not a new version.

Second file referred to the actual BlackRouter ransomware to encrypt the infected system files that encrypt different type of extension such as .gif, .mp4, .pdf, .xls etc.

According to Trend Micro, During the infection process, AnyDesk will start running in the affected system’s background and BlackRouter ransomware searches the files in following folders and encrypt all the files.

  • %Desktop%
  • %Application Data%
  • %AppDataLocal%
  • %Program Data%
  • %User Profile%
  • %System Root%\Users\All Users
  • %System Root%\Users\Default
  • %System Root%\Users\Public
  • All Drives except for %System Root%

After it completes the encryption process, it displays the ransom notes that contain the detailed information about what just could happen within the infected computer.

It demands to pay $50 in bitcoin to provide an access to the locked files. and its says, once vicitms paid the ransom amount then they will receive the decryption key via Telegram.

Also, it warned vicitms not to shut down the computer and if they do that then all the encrypted files will be locked forever.

Cybercriminals may be experimenting with AnyDesk as an alternative because Teamviewer’s developers have acknowledged its abuse, and have also included some anti-malware protection in some of its tools. Reserachers said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...

19 APT Hackers Target Asia-based Company Servers Using Exploited Vulnerabilities and Spear Phishing Email

The NSFOCUS Fuying Laboratory’s global threat hunting system identified 19 sophisticated Advanced Persistent Threat...

FBI Reports ₹1.38 Lakh Crore Loss in 2024, a 33% Surge from 2023

The FBI’s Internet Crime Complaint Center (IC3) has reported a record-breaking loss of $16.6...

Fog Ransomware Reveals Active Directory Exploitation Tools and Scripts

Cybersecurity researchers from The DFIR Report’s Threat Intel Group uncovered an open directory hosted...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...

Fog Ransomware Reveals Active Directory Exploitation Tools and Scripts

Cybersecurity researchers from The DFIR Report’s Threat Intel Group uncovered an open directory hosted...

DragonForce and Anubis Ransomware Gangs Launch New Affiliate Programs

Secureworks Counter Threat Unit (CTU) researchers have uncovered innovative strategies deployed by the DragonForce...