{
	"id": "0560c596-3afb-4f69-87f3-2e6094c08f2e",
	"created_at": "2026-04-06T00:22:38.27788Z",
	"updated_at": "2026-04-10T03:20:41.904346Z",
	"deleted_at": null,
	"sha1_hash": "f658b4e09f2e1dee6d99d19cc5f6c9f56ba04c19",
	"title": "AnyDesk Bundled with New Ransomware Variant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70750,
	"plain_text": "AnyDesk Bundled with New Ransomware Variant\r\nBy Raphael Centeno ( words)\r\nPublished: 2018-05-01 · Archived: 2026-04-05 22:23:50 UTC\r\nWe recently discovered a new ransomware (Detected as RANSOM_BLACKHEART.THDBCAH), which drops\r\nand executes the legitimate tool known as AnyDesk alongside its malicious payload.  This isn’t the first time that a\r\nmalware abused a similar tool. TeamViewer, a tool with more than 200 million users, was abused as by a previous\r\nransomwarenews article that used the victim’s connections as a distribution method.\r\nIn this instance, however, RANSOM_BLACKHEART bundles both the legitimate program and the malware\r\ntogether instead of using AnyDesk for propagation.\r\nBundling a legitimate tool with ransomware\r\nAlthough the specifics of how RANSOM_BLACKHEART enters the system remains unknown, we do know that\r\nusers can unknowingly download the ransomware when they visit malicious sites. Once downloaded,\r\nRANSOM_BLACKHEART drops and executes two files:\r\n%User Temp%\\ANYDESK.exe\r\n%User Temp%\\BLACKROUTER.exe\r\n \r\nintel\r\nFigure 1. The files dropped by RANSOM_BLACKHEART\r\nAs noted earlier, the first file contains AnyDesk, a powerful application capable of bidirectional remote control\r\nbetween different desktop operating systems, including Windows, macOS, Linux and FreeBSD, as well as\r\nunidirectional access on Android and iOS. In addition, it can perform file transfers, provide client to client chat\r\nand can also log sessions. Note that the version used by the attackers is an older version of AnyDesk, and not the\r\ncurrent one.\r\nintel\r\nFigure 2. The AnyDesk user interface on the sample we analyzed\r\nIt will also delete shadow copies via the following process:\r\n\"cmd.exe\" /c vssadmin.exe delete shadows /all /quiet\r\nThe second file is the actual ransomware. Based on our analysis, we can determine that it's a fairly common\r\nransomware, with a routine that encrypts a variety of files that use different extensions as part of its routine. The\r\ncomplete list can be seen below:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging\r\nPage 1 of 3\n\n.dbf\r\n.doc\r\n.docx\r\n.dt\r\n.dwg\r\n.efd\r\n.elf\r\n.epf\r\n.erf\r\n.exe\r\n.geo\r\n.gif\r\n.grs\r\n.html\r\n.ini\r\n.jpeg\r\n.jpg\r\n.lgf\r\n.lgp\r\n.log\r\n.mdb\r\n.mft\r\n.mkv\r\n.mp3\r\n.mp4\r\n.mxl\r\n.odt\r\n.pdf\r\n.pff\r\n.php\r\n.png\r\n.ppt\r\n.pptx\r\n.psd\r\n.rar\r\n.rtf\r\n.sln\r\n.sql\r\n.sqlite\r\n.st\r\n.tiff\r\n.txt\r\n.vrp\r\n.webmp\r\n.wmv\r\n.xls\r\n.xlsx\r\n.xml\r\n.zip\r\n1cd\r\nIt will search out and encrypts all files with these extensions in the following folders:\r\n%Desktop%\r\n%Application Data%\r\n%AppDataLocal%\r\n%Program Data%\r\n%User Profile%\r\n%System Root%\\Users\\All Users\r\n%System Root%\\Users\\Default\r\n%System Root%\\Users\\Public\r\nAll Drives except for %System Root%\r\nOnce it has found and encrypted a file, it will append the .BlackRouter extension to the affected file. When it has\r\naccomplished its encryption routine, RANSOM_BLACKHEART will then drop a ransom note, in which the\r\nattackers demand $50 or 0.006164 BTC for decryption, in the following locations:\r\n{All Drives}:\\ReadME-BlackRouter.txt\r\n%Desktop%\\ReadME-BlackRouter.txt\r\n \r\nintel\r\nFigure 3. Screenshot of the ransom note\r\nWe believe bundling AnyDesk with the ransomware might be an evasion tactic. Once RANSOM_BLACKHEART\r\nis downloaded, AnyDesk will start running in the affected system’s background — masking the true purpose of the\r\nransomware while it performs its encryption routine. Cybercriminals may be experimenting with AnyDesk as an\r\nalternative because Teamviewer’s developers have acknowledged its abuse, and have also included some anti-malware protectionnews article in some of its tools.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging\r\nPage 2 of 3\n\nNote that we found another malicious sample that is very similar, but it's bundled with a keylogger (Detected as\r\nTSPY_KEYLOGGER.THDBEAH) instead of ransomware. AnyDesk has acknowledged the existence of the\r\nransomware, and has stated that they will be discussing possible steps they can take.\r\nTrend Micro Solutions\r\nTrend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range\r\nof threats for data centersproducts, cloud environmentsproducts, networksproducts, and endpointsproducts. It\r\nfeatures high-fidelity machine learning to secure the gatewayproducts, endpointproducts data and applications,\r\nand protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis,\r\nand custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls,\r\nexploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally-identifiable data.\r\nSmart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud\r\nSecurity, User Protection, and Network Defense.\r\nRelated Hash detected as RANSOM_BLACKHEART.THDBCAH:\r\n85173ef5572f316df839e63b4e1526e97e5f123ae73f898b872baa6a5a9711f\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging"
	],
	"report_names": [
		"unsupported-teamviewer-versions-exploited-backdoors-keylogging"
	],
	"threat_actors": [],
	"ts_created_at": 1775434958,
	"ts_updated_at": 1775791241,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f658b4e09f2e1dee6d99d19cc5f6c9f56ba04c19.pdf",
		"text": "https://archive.orkl.eu/f658b4e09f2e1dee6d99d19cc5f6c9f56ba04c19.txt",
		"img": "https://archive.orkl.eu/f658b4e09f2e1dee6d99d19cc5f6c9f56ba04c19.jpg"
	}
}