Cyber Incident Victim: IObit

On January 16, 2021, threat actors associated with the DeroHE ransomware compromised IObit’s online forums as part of a coordinated attack. The attackers distributed ransomware by emailing all IObit forum users under the guise of a free software promotion. These emails contained links to malicious installers hosted directly on IObit’s compromised forums, leading recipients to inadvertently download and execute the DeroHE ransomware. Upon infection, victims received demands for $100 in DERO cryptocurrency to obtain individual decryptors, while IObit was presented with an ultimatum to pay $100,000 in DERO to decrypt all affected systems collectively. DeroHE distinguished itself as the first ransomware to mandate payments exclusively in DERO, a privacy-focused cryptocurrency marketed for anonymous transactions and smart contracts. The initial compromise also left IObit’s forums defaced with adware scripts that redirected users clicking forum links to adult content sites, exacerbating disruptions to legitimate users.

Following the January 16 breach, the ransomware gang continued targeting IObit’s forums over the subsequent weekend, replacing prior defacements with a direct extortion message. This new message taunted IObit for failing to secure its servers despite the prior incident and reiterated the $100,000 DERO demand, threatening further attacks and data leaks if unpaid. By January 25, IObit had taken its forums offline entirely, with connection attempts timing out, indicating efforts to remove attacker-controlled web shells and remediate vulnerabilities. The company did not issue public statements acknowledging the ransomware campaign, forum compromises, or mitigation steps, despite repeated user complaints and media inquiries. This lack of communication left forum users uncertain about the security of their data and the timeline for service restoration, while the attackers leveraged the high-profile platform to promote DERO’s adoption through coercive means.