sales@siconsult.com

Phone: +44 (0)20 332 70699

Visit Si Engineering

SiConsult Location SiConsult Location SiConsult Location

The Latest Cyber
Intelligence
from Si

Si Cyber Intel: Troldesh Ransomware
Mar2019

Si Cyber Intel: Troldesh Ransomware

‘Troldesh’, also known as ‘Shade’ or ‘Encoder.858’, is a malicious type of ransomware created in Russia in 2014 which has subsequently spread world-wide.

Researchers have recently discovered a new wave of Troldesh attacks since late 2018 moving into early 2019 in which threat actors work by executing the malware in what appears to be a legitimate email attachment containing infectious zip files tricking the victim.

Once opened, the malware gets to work by installing numerous redme#.txt files onto the now infected computer containing a ransom note dictating their preferred payment method. Security researchers have identified that computers running on Windows Os are more vulnerable to Troldesh.


Troldesh spiked in February 2019
Source: Malwarebytes Labs

What Si’s Security Analysts Say:

The attachments are mostly Zip files containing JavaScript that download the Payload.


Part of the obfuscated Troldesh Javascript
Source: Malwarebytes Labs

Recipients will have to extract the Zip file and double click the JavaScript file for the Ransomware to be downloaded and executed.

The user’s computer is then encrypted with AES 256 CBC mode encryption and once this is completed it writes many numbered readme#.txt files containing the below ransomware message.


Ransomware message
Source: Malwarebytes Labs

The following image shows a sample of the types of file extensions Troldesh looks for on fixed, removable, and remote drives:


Source: Malwarebytes Labs

Protection

There are various security measures you can take to avoid getting to the stage where incident response has to kick in or files need to be recovered such as the following:

  • Conduct Security Awareness Programs, a few times a year for employees
  • Subscribe to a cyber threat intel provider
  • Keep your Anti-Virus updated
  • Scan emails with attachments
  • User education - If they do reach the end user, they should be informed not to open attachments of this nature or run executable files in attachments. In addition, if your company has an anti-phishing plan, they should know who to forward the email to in the organisation for investigation
  • Blacklisting - Most end users do not need to be able to run scripts. In those cases, you can blacklist wscript.exe.
  • Update software and systems - Updating software can plug up vulnerabilities and keep known exploits at bay
  • Back up files - Reliable and easy-to-deploy backups can shorten the recovery time

Remediation

If you should get to the point where remediation is necessary, these are the steps to follow:

  • Perform a full system scan - Malwarebytes can detect and remove Ransom.Troldesh without further user interaction
  • Recover files - Removing Troldesh does not decrypt your files. You can only get your files back from backups you made before the infection happened or by performing a roll-back operation
  • Get rid of the culprit - Delete the email that was the root cause

IOCs that require blacklisting

Extensions for the encrypted files:

  • .xtbl
  • .ytbl
  • .cbtl
  • .no_more_ransom
  • .better_call_saul
  • .breaking_bad
  • .heisenberg
  • .da_vinci_code
  • .magic_software_syndicate
  • .windows10
  • .crypted000007
  • .crypted000078

Contacts:

  • Novikov.Vavila(@)gmail(.)com
  • Selenadymond(@)gmail(.)com
  • RobertaMacDonald1994(@)gmail(.)com

IPs:

  • TCP 154.35.32.5 443 outgoing

Bitcoin:

  • 1Q1FJJyFdLwPt5yyZAQ8kfxfeWq8eoD25E

Domain:

  • cryptsen7fo43rr6(.)onion

For information about Si Cyber’s services, please contact sales@siconsult.com

 

All News

Register and stay up to date with Si’s Cyber Intelligence

By using this form you agree with the storage and handling of your data by this website.

Interested in our services?

Do you have a question or need more information?

We would like to hear from you! Please complete the form below and a representative from Si will follow up with you as soon as possible.

By using this form you agree with the storage and handling of your data by this website. Please view the terms of our policy here.
Close

Al Barsha Business Point, Office 501, Al Barsha One, P.O. Box 283996, Dubai, UAE

CALL OFFICE EMAIL OFFICE
Close

1st Floor, 6 Bevis Marks, London, EC3A 7BA

CALL OFFICE EMAIL OFFICE
Close

Supreme Headquarters Building, Office 807-810, Survey No. 36, Pune-Bangalore Highway, Baner, Pune 411045, India

CALL OFFICE EMAIL OFFICE
Close

Office 808, Tower II, The Gate Mall, West Bay, Doha, Qatar, PO Box 14023

CALL OFFICE EMAIL OFFICE

Thank you for your enquiry. We will be in touch shortly.

Thank you for signing up to Si news.

Thank you for your download request. We will email it shortly.

Thank you for your partner registration application. We will be in touch shortly.

Thank you for your enquiry. We will be in touch shortly.

Thank you for your download request. We will email it shortly.

Thank you – your request has been submitted and you will be contacted within 24 hours.

Thank you – your request has been submitted and you will be contacted within 24 hours.

Thank you – your interest in this event has been submitted and you will be contacted within 24 hours.