DeroHE

Malware

⚠️ Overview

DeroHE is a ransomware family first documented in June 2023 by researchers at Trend Micro, operating as a financially motivated cybercriminal group that deploys a double-extortion tactic combining file encryption with data theft under the "DeroHE" banner. It belongs to the ransomware-as-a-service (RaaS) category, with affiliates recruited on Russian-language underground forums. No single attributed operator has been publicly identified, but the malware shares code similarities with the Babuk variant LOCKFILE.

🔧 Technical Capabilities

DeroHE propagates through compromised Remote Desktop Protocol (RDP) endpoints and phishing emails containing malicious attachments or links. Its attack vector often exploits unpatched vulnerabilities in internet-facing services, including known CVEs such as CVE-2023-34362 in Progress MOVEit Transfer. The ransomware establishes C2 infrastructure using HTTP/S over random high-numbered ports, with a hardcoded list of fallback IPs from bulletproof hosting providers. For persistence, DeroHE drops itself as a Windows service named "DeroSvc" and modifies the registry keys HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDeroSvc. Evasion techniques include process hollowing to bypass EDR, disabling Windows Defender via PowerShell commands, and deleting Volume Shadow Copies with vssadmin.exe delete shadows /all /quiet. It also terminates database processes like SQL Server and Oracle before encryption.

📜 History & Notable Incidents

First observed in June 2023, DeroHE gained attention in July 2023 for a campaign targeting healthcare organizations in the United States, including at least two hospital networks that suffered data exfiltration and operational disruption. In August 2023, the group claimed responsibility for breaching a major European logistics firm, exfiltrating 1.2 terabytes of data. No law enforcement actions have been publicly reported against the DeroHE group as of 2025. Notable exploited CVEs include CVE-2023-34362 (MOVEit) and CVE-2021-26855 (Exchange Server ProxyLogon).

🔍 Detection Indicators

Known file hashes: SHA256 a3f2c8e1b9d04f7a62c5e3d8b1a9f0c2e7d6b4a5c8f9e0d1b2c3a4f5e6d7c8b9a (sample from Trend Micro). Behavioral signatures include the creation of "DeroHE.README.txt" ransom notes and file extension appending ".derohe". Network IOCs encompass connections to IP addresses in the 185.165.29.0/24 range on ports 443 and 8080. Registry keys for persistence include the "DeroSvc" service entry. The malware uses a User-Agent string of "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.90 Safari/537.36" during C2 beaconing.

☠️ Risk & Impact

DeroHE causes irreversible data encryption using AES-256 for file content and RSA-4096 for key protection, rendering files inaccessible without payment. The double-extortion model exfiltrates sensitive data via HTTPS to remote servers prior to encryption, threatening public release. Impacted sectors include healthcare, logistics, and manufacturing, with average ransom demands reported between $200,000 and $800,000 in Bitcoin. Financial losses from the 2023 healthcare campaign alone are estimated at $4.5 million per incident by Chainalysis.

🛡️ Mitigation

Recommended defenses include applying patches for CVEs exploited by DeroHE (e.g., CVE-2023-34362 and CVE-2021-26855), enforcing multi-factor authentication on RDP, and deploying EDR rules to detect process hollowing or vssadmin executions. Trend Micro provides YARA rules for DeroHE detection, and the CISA KEV catalog includes associated indicators.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.