Iranian developer advertised BlackRouter RaaS

Pierluigi Paganini January 21, 2019

An Iranian developer is promoting on a Telegram hacking channel the BlackRouter ransomware through a Ransomware-as-a-Service model.

An Iranian developer is advertising on Telegram a Ransomware-as-a-Service called BlackRouter. The same expert advertises other malware and is believed to the author of another ransomware called Blackheart.
promotes other infections such as a RAT.

BlackRouter was first observed in May 2018, at the time experts at TrendMicro discovered legitimate application AnyDesk bundled with the Ransomware.

According to Bleeping Computer, security researcher Petrovic discovered a new variant of the BlackRouter Ransomware in January, but the MalwareHunterTeam stated that only differences between this variant and previous ones were an improved GUI and the implementation of a timer.

blackrouter 2

A researcher that goes online with the handle A Shadow told BleepingComputer that the same ransomware was offered as a RaaS platform in a hacking channel on Telegram by an Iranian developer. 

The developer offers to its customers 80% of paid ransom payments, keeping for him the remaining 20%.


At the time, the BlackRouter was not widespread, Bleeping Computer reports only one submission to ID Ransomware since December 31.

The ransomware was mainly distributed via RDP accesses or through fake cracks and downloads.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – ransomware-as-a-service, malware)

[adrotate banner=”5″] [adrotate banner=”13″]

you might also like

leave a comment