Another supply chain attack: Infected IObit promotion installs ransomware

A number of cybersecurity experts predicted at the end of the year that hackers will quickly learn lessons from the SolarWinds Orion supply chain hack to distribute malware. It seems they already have.

According to Bleeping Computer, there’s apparently been a compromise at a San Francisco-based software company named IObit, which makes Windows utilities. Just like the corruption of the SolarWinds update mechanism to install a backdoor in Orion, the update process in IObit has been manipulated to distribute ransomware.

Bleeping Computer says that over the weekend, users of the IObit forum began receiving emails claiming to be from the company saying users were entitled to a free one-year license to their software for being a forum member. The message includes an image of IObit products wrapped in a gift bow to convince readers of its authenticity. A link in that email went to a site that looked legitimate for downloading the zip file update.

However, the file included malware. The supposed licence extension even included digitally signed verification files from IObit. That’s the same way the SolarWinds hackers were able to get their malware to pass as an update for Orion. However, the malware in the IObit update was ransomware.

The site with the phony update has since been taken down. Bleeping Computer suspects that to create the fake promotion page and host a malicious download the attackers hacked IObit’s forum and gained access to an administrative account.

The response so far

Asked for comment on the report, Emma Chen of IObit said that on Jan. 17, the company found the attack through the bug on the IObit forum, which is built on a third-party platform. “We immediately closed the whole forum and updated our database to stop the spread of the ransomware. And for now, we are trying to build an IObit forum with a new and safer platform.”

IObit’s products include Advanced SystemCare 14 Pro for optimizing PCs; IObit Malware Fighter 8; Protect Folder and Password Generator.

Bleeping Computer says the ransomware strain is called DeroHE because it appends the .DeroHE extension to encrypted files.

After compromising Windows Defender with an infected DLL, the ransomware displays a message box claiming to be from IObit License Manager stating, “Please wait. It may take a little longer than expected. Keep your computer running or screen on!” That stops victims from shutting off their devices before the ransomware finishes.

When finished, a ransom note is displayed, asking for payment in a cryptocurrency called DERO to get the decryption key. There’s also a link to a Tor site the Tor site that says IObit can send US$100,000 in DERO coins to decrypt all victims.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now