LTS Secure Warning: Taking a Look At The New Variant Of Troldesh Ransomware

A new variant of the troldesh ransomware has been detected on the rise over the past couple of weeks and is been spread via compromised website URLs. The attackers are spending messages & emails on social media platform to trick users into visiting the malicious URL.

 

Technical Details

The infection process starts when the victim clicks on the malicious URL present inside the spam mail, which then completes loading the PHP file, which in turn downloads a JavaScript file on to the victim device. The downloaded file is a host-based malware dropper, which prepares the necessary process to download & execute the ransomware.

Upon execution, the ransomware begins encrypting files using the following way:-

  • There are two separate keys being used by the ransomware – One to encrypt the content of the files & One to encrypt the file name.
  • The above step is done to make it difficult for the victim to decrypt the files & forces to pay the asked upon ransom amount.
  • Upon encryption of the files, the attacker makes use of TOR connections to get all the encrypted files to a remote server.
  • Finally, a README.txt file is left behind. It includes the email address & instructions that need to be followed by the victim in order to recover the encrypted files.

 

Impact

  • Loss of Productivity.
  • Operational and financial loss to the Business or an individual.
  • Temporary or Permanent loss of Sensitive/Confidential data.

 

Recommended Actions

  • Take system back-ups on regular intervals.
  • Avoid Opening emails & attachments from unknown senders.
  • Ensure that your devices are always up-to-date with the latest patches released.
  • Regularly update your antivirus software & perform malware scans to protect against unknown threats.