{ "id": "80a14f2f-7afb-4b73-9f59-c875026329a0", "created_at": "2026-04-06T00:21:36.567449Z", "updated_at": "2026-04-10T03:21:59.163999Z", "deleted_at": null, "sha1_hash": "a208e78511f96b19273ec70f6a064af1f72f327c", "title": "BlackRouter Ransomware Promoted as a RaaS by Iranian Developer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1950631, "plain_text": "BlackRouter Ransomware Promoted as a RaaS by Iranian Developer\r\nBy Lawrence Abrams\r\nPublished: 2019-01-17 · Archived: 2026-04-05 21:49:17 UTC\r\nA ransomware called BlackRouter has been discovered being promoted as a Ransomware-as-a-Service on Telegram by an\r\nIranian developer. This same actor previousl distributed another ransomware called Blackheart and promotes other\r\ninfections such as a RAT.\r\nBlackRouter was originally spotted in May 2018 and had its moment of fame when TrendMicro discovered it being dropped\r\nalong with the AnyDesk remote access program and keyloggers on victim's computers.\r\nOriginal BlackRouter/Blackheart Ransomware\r\nIn early January, a new version of the BlackRouter Ransomware was discovered by a security researcher named Petrovic,\r\nwho shared the sample on Twitter. Furthermore, MalwareHunterTeam stated that this was basically the same as the previous\r\nvariant, but with a better looking GUI and the addition of a timer.\r\nhttps://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nBlackRouter Ransomware GUI\r\nSoon after BlackRouter was discovered, another security researcher named A Shadow told BleepingComputer that this\r\nransomware was being promoted as a RaaS in a hacking channel on Telegram by an Iranian developer. \r\nBlackRouter Promotion on Telegram\r\nAffiliates who join this RaaS and distribute the BlackRouter ransomware will earn 80% of any paid ransom payments, with\r\nthe other 20% going to the BlackRouter developer.\r\nhttps://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/\r\nPage 3 of 5\n\nIn addition, this actor is promoting a remote access Trojan called BlackRat that allegedly includes features such as encrypted\r\ncommunications, AV evasion, small size, plugins, the ability to enable RDP, configure a miner, steal cryptocurrency wallets,\r\nkeylogger, password-stealer, and more.\r\nBlackRat Promotion\r\nBlackRouter does not seem to be heavily distributed, with only one submission to ID Ransomware since December 31.\r\nWith that said, ransomware like BlackRouter is commonly distributed via hacking into Remote Desktop Services or through\r\nfake cracks and downloads. Therefore, make sure to not allow RDP to connect directly to the Internet and be sure to scan\r\nanything you download from an untrusted source.\r\nhttps://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/\r\nhttps://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/" ], "report_names": [ "blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer" ], "threat_actors": [], "ts_created_at": 1775434896, "ts_updated_at": 1775791319, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a208e78511f96b19273ec70f6a064af1f72f327c.pdf", "text": "https://archive.orkl.eu/a208e78511f96b19273ec70f6a064af1f72f327c.txt", "img": "https://archive.orkl.eu/a208e78511f96b19273ec70f6a064af1f72f327c.jpg" } }