DeroHE ransomware distributed through IOBit forums

Over the weekend, members of the IObit forums have reported that that they have received a phishing email awarding forum members “a free 1-year license” with a download link.


As per the available details in forums, the message was signed on behalf of the IObit domain and distributed ransomware that, once downloaded on the computer, changed the extensions of the stored files to “DeroHE”.

A number of security experts classified this accident as a widespread phishing attack, considering the fact that everyone that received the malicious e-mail was an IObit user.

The phishing email message is carefully crafted and looks legit, including the sender’s email address, the artwork, and the link on its URL, according to victims.

IObit is a company that develops Windows system optimization tools and anti-malware software.

The IObit’s “Promo” e-mail contained a “GET IT NOW” link to hxxps:/  that is no longer available. At the time of the phishing attack, however,  it was distributing a file that had digitally signed IObit License Manager files and a malicious version of the IObitUnlocker.dll file.

The Malicious IObitUnlocker.dll  installed the DeroHE ransomware on C:\Program Files (x86)\IObit\iobit.dll [DrohE ransomware] when the IObit License Manager.exe was executed.

The targeted victims of the phishing e-mail message were tricked into believing they are receiving a legitimate promotion because most executables were signed with an IOBit certificate and the downloadable zip file was hosted on the IObit’s site.

As per the reports on the company’s forums, this attack was targeting all forum members.

DeroHE ransomware

Victims who were tricked to click on the malicious email have reported that the DeroHE ransomware has not only renamed their files but has also removed their file type from the header and describe the damage caused as extraordinary.

As per the analysis of security researchers, DeroHE operates by adding a Windows autorun named “IObit License Manager” in the startup. It also adds special Windows Defender exclusions to enable the malicious .dll file to run on the computer without being detected.

A fake message that pretends to originate from the IObit License Manager also appears on the screen. It warns the victims not to shut their computers off. In this way, the ransomware ensures the completion of its agenda. In the end, the threat adds the .DeroHE extension to all encrypted files.

When the encryption completes, DeroHE creates a ransom note named READ_TO_DECRUPT.html and a FILES_ENCRYPTED.html file on the desktop. The cybercriminals behind this threat demand a ransom payable in a cryptocurrency called DERO and ask for 200 DERO coins (about $100) in exchange for decrypting the files.

The Tor website says that if IObit pays $100,000 in DERO coins to the attackers, all encrypted computers will be decrypted.  

Currently, DeroHE ransomware is being researched and analyzed for vulnerabilities that could allow the victims to decrypt their files free of charge.

One of the likely explanations of the phishing attack on IObit users is that the attackers have possibly compromised the forum of IObit and have gained access to an administrator account to build the fake promotional page and host the ransomware-infected download file.

Sections of the company’s website, including the forum pages appear to be compromised as clicking on them redirects to adult pages and different notifications for subscriptions.

Researchers in the cybersecurity field share the opinion that the forum was hacked by attackers by inserting a malicious script on all pages. IObit has not come up with an official statement on the incident.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment