IObit members experienced devastating consequences after falling for a supposed phishing scam. As it turns out, the Windows utility developers IObit suffered a forum hacking attack that further led to targeting members with ransomware.
IObit Forum Hacking Hit Members Too
As revealed, the incident happened over the weekend, members received emails presumably from the forum. Those too-good-to-be-true emails offered a 1-year free license of IObit security suite to all members.
The email appeared legit as it arrived from the genuine IObit domain. The message included a “GET IT NOW” link that redirected to an apparent IObit page that no more exists. It further created a sense of hurry by pushing the recipients to click on the given link within 2 days.
Clicking on the link then downloaded a file named “free-iobit-license-promo.zip” that had the malware. As stated by Bleeping Computer,
This zip file [VirusTotal] contains digitally signed files from the legitimate IObit License Manager program, but with the IObitUnlocker.dll replaced with an unsigned malicious version.
Upon execution, the malicious .dll would install the DeroHE ransomware to the path C:\Program Files (x86)\IObit\iobit.dll for malware execution.
About DeroHE Ransomware
DeroHE (Dero Homomorphic Encryption) ransomware appears a new ransomware that basically aims at promoting DERO cryptocurrency. The attackers also demand the ransom in DERO and lure the victims to “invest” this way.
In the referred incident, the attackers demanded $100 from each victim in the form of 200 DERO coins. Whereas they also pledge to return $500 to the victims later when the price of DERO would each $100/coin.
Though, their first trick is to convince the victim to make IObit pay the ransom as 100,000 coins. That’s because they put the blame for the attack on IObit. If IObit pays the ransom, the attackers assure to decrypt the data for all victims.
Regarding the malware, DeroHE ransomware, when executed, adds DLL exceptions to the Windows Defender. It then starts infecting the system. Meanwhile, it displays the following message to the user to not shut down the system.
Please wait. It may take a little longer than expected. Keep your computer running or screen on!
At the back, it encrypts the data while adding a string of information to the files and renaming them while adding the “.DeroHE” extension.
Lastly, it places a ransom note and a separate file with the list of encrypted files on the desktop.
The IObit forum website remained compromised at the time of writing this article. For now, it’s unclear whether IObit has paid or will pay the ransom to the attackers.