Delaware, USA – May 2, 2018 – Researchers from TrendMicro discovered new ransomware strain, which is distributed with the legitimate application AnyDesk. AnyDesk is a popular application for remote control between various operating systems that can log sessions and transfer files. Blackheart ransomware drops two executable files to user’s temp folder, one of which is the ransomware component and the second is the AnyDesk application and runs both files. Malware removes all shadow copies, encrypts user files and drops a ransom note demanding only $50 for decryption. At the moment, running the additional application only serves to mask ransomware actions, but researchers believe that attackers are experimenting with AnyDesk and will try to use this programme to distribute ransomware, as it was once with TeamViewer.
At this time, it is not known how the Blackheart ransomware enters the victim system, but it is most likely that malware is spreading via malicious websites. To detect the activity of this ransomware, you can use your SIEM and Ransomware Hunter package from Threat Detection Marketplace. Sysmon Framework and Windows Security Monitor can help you track suspicious activity on Windows hosts that send logs to SIEM.