Troldesh Ransomware emerges again and spreads all over the world. The crypto-ransomware variant was created in Russia, the previous variant of the ransomware encrypts the files and appends “.xtbl” extension whereas the new variant adds “.no_more_ransom” extension.
Quick heal labs observed the ransomware is distributed by threat actors through RDP Brute-force Attack, Spam and phishing emails and Exploit Kits.
Threat actors targeting the RDP default port 3389 and launches a Brute-force Attack to obtain login credentials, if the attacker’s gains control over the system they directly execute the payload on the victims.
Another method is through spam or phishing emails that download the macro embedded word document or the payload itself directly.
Troldesh Ransomware Infection Process
Once the malicious payload file executed it copies itself to the location “ AppData\Roaming\ “ and deletes the downloaded file and executes the copy of the payload from the AppData location.
The payload executes and launch a scheduled task and creates a task in name Encrypter and it has been scheduled to run every 1 minute, with a wait time of 1 hour and execution limit time limit of 72 hours.
“C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /TN Encrypter /TR C:\Users\user_name\AppData\Roaming\info.exe
Quick Heal also spotted that the malicious payload also contains an Anti-debugging identifier to check that it is running under the control of a debugger.
Once the malicious payload gets executed it encrypts the file present in the system and appends “.no_more_ransom” extension and shows the following ransom note.
Cyber threats such as ransomware main task are to infect your computer and lock your files and Demand the ransom amount. Scan all your emails for malicious links, content, attachment and Segregate the physical and logical network to minimize the infection vector.