Troldesh Ransomware emerges again and spreads all over the world. The crypto-ransomware variant was created in Russia, the previous variant of the ransomware encrypts the files and appends “.xtbl” extension whereas the new variant adds “.no_more_ransom” extension.
Quick heal labs observed the ransomware is distributed by threat actors through RDP Brute-force Attack, Spam and phishing emails and Exploit Kits.
Threat actors targeting the RDP default port 3389 and launches a Brute-force Attack to obtain login credentials, if the attacker’s gains control over the system they directly execute the payload on the victims.
Another method is through spam or phishing emails that download the macro embedded word document or the payload itself directly.
Once the malicious payload file executed it copies itself to the location “ AppData\Roaming\ “ and deletes the downloaded file and executes the copy of the payload from the AppData location.
The payload executes and launch a scheduled task and creates a task in name Encrypter and it has been scheduled to run every 1 minute, with a wait time of 1 hour and execution limit time limit of 72 hours.
“C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /TN Encrypter /TR C:\Users\user_name\AppData\Roaming\info.exe
Quick Heal also spotted that the malicious payload also contains an Anti-debugging identifier to check that it is running under the control of a debugger.
Once the malicious payload gets executed it encrypts the file present in the system and appends “.no_more_ransom” extension and shows the following ransom note.
In the second quarter of 2018 and the ransomware returns back with new versions of GandCrab, Sigma, and GlobeImposter campaigns.
Cyber threats such as ransomware main task are to infect your computer and lock your files and Demand the ransom amount. Scan all your emails for malicious links, content, attachment and Segregate the physical and logical network to minimize the infection vector.
Organization Cyber Disaster Recovery Plan Checklist
Best Way to Accelerate and Secure Your Website From Top Common Web Threats
Simple and Best Ways to Protect Your Windows Computer From Cyber Attack
In a disturbing trend, cybercriminals, predominantly from Chinese underground networks, are exploiting Near Field Communication…
In a concerning trend for cybersecurity, multiple threat actors, including ransomware groups and state-sponsored entities,…
Unit 42’s 2025 Global Incident Response Report, ransomware actors are intensifying their cyberattacks, with 86%…
Group-IB’s High-Tech Crime Trends Report 2025 reveals a sharp 22% surge in phishing websites, with…
Cybersecurity firm Volexity has tracked a series of highly targeted attacks by suspected Russian threat…
Threat actors are increasingly leveraging Google Forms, the tech giant’s widely-used form and quiz-building tool,…
![](data:image/svg+xml;charset=utf-8,<svg height="400px" width="1000px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
