Friday, February 28, 2025
Follow us On Linkedin
HomeComputer SecurityTroldesh Ransomware Spreading Via Weaponized Word Document and RDP Brute-force Attack

Troldesh Ransomware Spreading Via Weaponized Word Document and RDP Brute-force Attack

Computer SecurityRansomware

Published on

By Gurubaran
Troldesh Ransomware Spreading Via Weaponized Word Document and RDP Brute-force Attack

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

Troldesh Ransomware emerges again and spreads all over the world. The crypto-ransomware variant was created in Russia, the previous variant of the ransomware encrypts the files and appends “.xtbl” extension whereas the new variant adds “.no_more_ransom” extension.

Quick heal labs observed the ransomware is distributed by threat actors through RDP Brute-force Attack, Spam and phishing emails and Exploit Kits.

Threat actors targeting the RDP default port 3389 and launches a Brute-force Attack to obtain login credentials, if the attacker’s gains control over the system they directly execute the payload on the victims.

Another method is through spam or phishing emails that download the macro embedded word document or the payload itself directly.

Troldesh Ransomware Infection Process

Once the malicious payload file executed it copies itself to the location “ AppData\Roaming\ “ and deletes the downloaded file and executes the copy of the payload from the AppData location.

The payload executes and launch a scheduled task and creates a task in name Encrypter and it has been scheduled to run every 1 minute, with a wait time of 1 hour and execution limit time limit of 72 hours.

“C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /TN Encrypter /TR
C:\Users\user_name\AppData\Roaming\info.exe

Quick Heal also spotted that the malicious payload also contains an Anti-debugging identifier to check that it is running under the control of a debugger.

Once the malicious payload gets executed it encrypts the file present in the system and appends “.no_more_ransom” extension and shows the following ransom note.

Troldesh Ransomware

In the second quarter of 2018 and the ransomware returns back with new versions of  GandCrabSigma, and GlobeImposter campaigns.

Cyber threats such as ransomware main task are to infect your computer and lock your files and Demand the ransom amount. Scan all your emails for malicious links, content, attachment and Segregate the physical and logical network to minimize the infection vector.

Also Read

Organization Cyber Disaster Recovery Plan Checklist

Best Way to Accelerate and Secure Your Website From Top Common Web Threats

Simple and Best Ways to Protect Your Windows Computer From Cyber Attack

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

cyber security

Chinese Hackers Breach Belgium State Security Service as Investigation Continues

Belgium’s State Security Service (VSSE) has suffered what is being described as its most...
cyber security

Hacktivist Groups Emerge With Powerful Tools for Large-Scale Cyber Operations

Hacktivism, once synonymous with symbolic website defacements and distributed denial-of-service (DDoS) attacks, has evolved...
Cyber Attack

New Pass-the-Cookie Attacks Bypass MFA, Giving Hackers Full Account Access

Multi-factor authentication (MFA), long considered a cornerstone of cybersecurity defense, is facing a formidable...
Cyber Security News

Chinese Hackers Exploit Check Point VPN Zero-Day to Target Organizations Globally

A sophisticated cyberespionage campaign linked to Chinese state-sponsored actors has exploited a previously patched...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

Register Now

More like this

Cyber Attack

DragonForce Attacks Critical Infrastructure to Exfiltrate Data and Halt Operations

The DragonForce ransomware group has launched a significant cyberattack on critical infrastructure in Saudi...
cyber security

New Anubis Ransomware Targets Windows, Linux, NAS, and ESXi x64/x32 Environments

A new ransomware group, dubbed Anubis, has emerged as a significant threat in the...
cyber security

LARVA-208 Hackers Compromise 618 Organizations Stealing Logins and Deploying Ransomware

A newly identified cybercriminal group, LARVA-208, also known as EncryptHub, has successfully infiltrated 618...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved