IOBit hacked again and victim of ransomware

[German]Windows tool developer IOBit became a victim of a ransomware attack again last weekend, after the IOBit forum was already hacked and ransomware was spread to forum users a week ago. Here are some information what's known so far.


I had reported on the first case on January 19, 2021 in the blog post IOBit forum hacked, spreaded DeroHE ransomware. IObit forum members received at that time emails claiming to be from IObit and claiming they were entitled to a free 1-year license for their software as a special perk for being a member of the forum. Those who installed this 'offer' got ransomware on their Windows machines.

At the time when the first report was published after the weekend, the download link for the ransomware had indeed been removed. However, Bleeping Computer mentioned here that the IOBit forum still contained adware scripts. It can be assumed that the forum software was not cleanly reset or rebuilt, but only an emergency repair in the form of a deleted link was made. This now took revenge, because last weekend there was the second attack, as I read the night at Bleeping Computer in the following tweet.

IOBit hacked again

Last weekend, visitors to the IOBit forum were once again surprised with the message shown in the following tweet. The message was there all weekend:  Hello, your IObit have been hacked! A week has passed and your "antivirus" company still doing nothing to secure their server! IObit send us 100000 DERO or more hacks and leaks to come.

IOBit ransomware notice


The forum was hacked and the website was down. The attackers demanded the equivalent of 100,000 US dollars and threatened that if payment was not made, the hacks would continue. The IOBit forum is currently down, I assume they are now frantically trying to clean up the forum and find the vulnerability that allowed the attack to succeed twice. Bleeping Computer suspects,that an outdated vBulletin forum software version is responsible for this twice attack. 

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *