# BlackRouter Ransomware Promoted as a RaaS by Iranian Developer **[bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/](https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) January 17, 2019 05:48 PM 2 A ransomware called BlackRouter has been discovered being promoted as a Ransomwareas-a-Service on Telegram by an Iranian developer. This same actor previousl distributed another ransomware called Blackheart and promotes other infections such as a RAT. BlackRouter was originally spotted in May 2018 and had its moment of fame when [TrendMicro discovered it being dropped along with the AnyDesk remote access](https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29) program and keyloggers on victim's computers. ----- **Original** **BlackRouter/Blackheart Ransomware** In early January, a new version of the BlackRouter Ransomware was discovered by a [security researcher named Petrovic, who shared the sample on Twitter. Furthermore,](https://twitter.com/petrovic082/status/1081819901797548032) MalwareHunterTeam [stated that this was basically the same as the previous variant, but](https://twitter.com/malwrhunterteam/status/1082322503320682496) with a better looking GUI and the addition of a timer. **BlackRouter Ransomware GUI** ----- [Soon after BlackRouter was discovered, another security researcher named A Shadow told](https://twitter.com/arealshadow) BleepingComputer that this ransomware was being promoted as a RaaS in a hacking channel on Telegram by an Iranian developer. **BlackRouter Promotion on Telegram** Affiliates who join this RaaS and distribute the BlackRouter ransomware will earn 80% of any paid ransom payments, with the other 20% going to the BlackRouter developer. In addition, this actor is promoting a remote access Trojan called BlackRat that allegedly includes features such as encrypted communications, AV evasion, small size, plugins, the ability to enable RDP, configure a miner, steal cryptocurrency wallets, keylogger, passwordstealer, and more. ----- **BlackRat Promotion** BlackRouter does not seem to be heavily distributed, with only one submission to ID Ransomware since December 31. With that said, ransomware like BlackRouter is commonly distributed via hacking into Remote Desktop Services or through fake cracks and downloads. Therefore, make sure to not allow RDP to connect directly to the Internet and be sure to scan anything you download from an untrusted source. ## Related Articles: [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [New ‘Cheers’ Linux ransomware targets VMware ESXi servers](https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/) [SpiceJet airline passengers stranded after ransomware attack](https://www.bleepingcomputer.com/news/security/spicejet-airline-passengers-stranded-after-ransomware-attack/) [US Senate: Govt’s ransomware fight hindered by limited reporting](https://www.bleepingcomputer.com/news/security/us-senate-govt-s-ransomware-fight-hindered-by-limited-reporting/) [BlackHeart](https://www.bleepingcomputer.com/tag/blackheart/) [BlackRouter](https://www.bleepingcomputer.com/tag/blackrouter/) ----- [Iran](https://www.bleepingcomputer.com/tag/iran/) [RaaS](https://www.bleepingcomputer.com/tag/raas/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Ransomware-as-a-Service](https://www.bleepingcomputer.com/tag/ransomware-as-a-service/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/twitter-fixes-four-year-old-bug-in-android-app-exposing-private-tweets/) [Next Article](https://www.bleepingcomputer.com/news/security/windows-zero-day-bug-that-overwrites-files-gets-interim-fix/) ## Comments [achzone - 3 years ago](https://www.bleepingcomputer.com/forums/u/1049381/achzone/) I found this very interesting and enlightening. Thanks much for writing and sharing it! Regards, Andrew [NoneRain - 3 years ago](https://www.bleepingcomputer.com/forums/u/1112107/nonerain/) I agree! The articles here are always very well written and with contextual information that really adds to us. ----- Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ## You may also like: -----