Troldesh Ransomware emerges again and spreads all over the world. The crypto-ransomware variant was created in Russia, the previous variant of the ransomware encrypts the files and appends “.xtbl” extension whereas the new variant adds “.no_more_ransom” extension.
Quick heal labs observed the ransomware is distributed by threat actors through RDP Brute-force Attack, Spam and phishing emails and Exploit Kits.
Threat actors targeting the RDP default port 3389 and launches a Brute-force Attack to obtain login credentials, if the attacker’s gains control over the system they directly execute the payload on the victims.
Another method is through spam or phishing emails that download the macro embedded word document or the payload itself directly.
Once the malicious payload file executed it copies itself to the location “ AppData\Roaming\ “ and deletes the downloaded file and executes the copy of the payload from the AppData location.
The payload executes and launch a scheduled task and creates a task in name Encrypter and it has been scheduled to run every 1 minute, with a wait time of 1 hour and execution limit time limit of 72 hours.
“C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /TN Encrypter /TR C:\Users\user_name\AppData\Roaming\info.exe
Quick Heal also spotted that the malicious payload also contains an Anti-debugging identifier to check that it is running under the control of a debugger.
Once the malicious payload gets executed it encrypts the file present in the system and appends “.no_more_ransom” extension and shows the following ransom note.
In the second quarter of 2018 and the ransomware returns back with new versions of GandCrab, Sigma, and GlobeImposter campaigns.
Cyber threats such as ransomware main task are to infect your computer and lock your files and Demand the ransom amount. Scan all your emails for malicious links, content, attachment and Segregate the physical and logical network to minimize the infection vector.
Organization Cyber Disaster Recovery Plan Checklist
Best Way to Accelerate and Secure Your Website From Top Common Web Threats
Simple and Best Ways to Protect Your Windows Computer From Cyber Attack
Over 10,000 WordPress websites have been hijacked to deliver malicious software targeting both macOS and…
Cybersecurity experts have uncovered a new exploit leveraging the widely used Remote Desktop Protocol (RDP).…
Cybersecurity experts are sounding the alarm about a new SMS-based phishing tool, Devil-Traff, that is…
Experts at Wiz Research have identified a publicly exposed ClickHouse database belonging to DeepSeek, a…
The highly anticipated release of OPNsense 25.1 has officially arrived! Nicknamed "Ultimate Unicorn," this update…
Microsoft has officially added DeepSeek R1, an advanced AI model, to its Azure AI Foundry…