Cyber Threat Actor: DeroHE
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
0 incidents |
|---|
Profile
The threat actor known asDeroHE, also referred to as Dero and DEROHE, has been observed conducting ransomware operations that leverage the DERO cryptocurrency for extortion. Public reporting indicates the actor is based in Russia, although no further geographic details are provided. The actor’s primary targeting has been observed against software developers, exemplified by the compromise of the IObit forums, a Windows‑software vendor. Their strategic objective appears to be financial gain, as they demand ransom payments in DERO cryptocurrency from both individual victims and the compromised organization. No evidence of espionage or disruptive motives beyond the extortion scheme is presented in the source material.
The actor’s typical tactics include gaining unauthorized access to web forums, uploading malicious installers, and distributing them via phishing‑style emails that promise free software promotions. Initial access is achieved through forum hacking, after which the actors place a ransomware installer that masquerades as a legitimate IObit software update. The malware family associated with these operations is DeroHE ransomware, which encrypts victim files and offers a decryptor only after payment of $100 in DERO per user or a bulk payment of $100,000 in DERO from the targeted company. In addition to the ransomware payload, the actors have deployed adware scripts that redirect forum visitors to adult sites and have left web shells to maintain persistence. The ransom notes posted on the compromised forums explicitly stated that IObit must send 100,000 DERO or face additional hacks and data leaks. The actors also communicated directly with IObit forum users via email, attaching a link to the fraudulent installer hosted on the compromised forum itself. After the initial intrusion, the forums displayed persistent adware that redirected clicks to adult content, indicating a secondary monetization attempt alongside the ransomware scheme. IObit responded by taking the forums offline, presumably to remove web shells and patch vulnerabilities, but did not issue a public statement about the incident according to the reporting. The reporting notes that DeroHE is the first ransomware to require payment in DERO, which is likely to promote the cryptocurrency and increase its value. No additional campaigns or victim sectors beyond the IObit incident are described in the source material, limiting the observable scope of the actor’s activities to this specific operation. While the actor’s location is noted as Russian, no explicit links to state sponsorship or known criminal consortia have been established in the available reporting. The IObit forum intrusion remains the most concrete example of the actor’s methodology, illustrating a financially motivated ransomware operation that combines web‑forum compromise, email‑based lure distribution, and cryptocurrency‑based extortion.
