Emerging ransomware: Troldesh

Troldesh (detected as variants of Win32/Troldesh) started to show up in the early part of 2015 and became more prevalent in June this year. Overall detections have so far lessened in July – except for a notable spike around the 8th of the month, shown in Figure 1.

Line chart showing detections of Troldesh between April and July

Figure 1: Troldesh detections over the past four months

We are unable to determine the exact cause of this spike, and it might be attributed to a push by the Axpergle or Neclu exploit kits (also known as Nuclear) during that time.

Axpergle or Neclu is a known distributor of Troldesh and plays a role in its distribution and infection chain, as illustrated in Figure 2.

Flow chart indicating Troldesh is downloaded from the Nuclear exploit kit

Figure 2: Troldesh infection chain

The Axpergle and Nuclear kits, like most other exploit kits, check for vulnerabilities on the target machine and uses them to deploy malware that downloads and installs Troldesh.

In particular, we’ve seen the Axpergle variant Exploit:HTML/Axpergle.N drop the following two files:


Troldesh creates the following files:

  • %APPDATA%\windows\csrss.exe – copy of the malware
  • %TEMP%\state.tmp – temporary file used for the encryption

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: “Client Server Runtime Subsystem
With data: ” %APPDATA% \windows\csrss.exe

Like other ransomware, it holds files ransom by encrypting them and renaming the file extensions to .xbtl or .cbtl.

Ransom transaction

The payment method relies on a tried and true form of communication: by requesting the victim send an email to the malware author to get further instructions. A sample of the request is in Figure 3.

Ransom request written in Russian and English. The text explains files have been encrypted and to send an email for instructions

Figure 3: Sample ransom request

This is also how Ransom:Win32/Teerac conducted the transaction request, before jumping on the bandwagon that has previously been used by other ransomware families: using the Tor network for transactions.

In June, a researcher from Check Point attempted to negotiate the price with the malware’s author, asking for a discounted price to retrieve decryption for the files.

Encryption process

Troldesh replaces the desktop wallpaper with a message that the files on the disk have been encrypted, both in Russian and English, showing in Figure 4.

Ransom request written in Russian and English, with red text on a black background. The text explains files have been encrypted and to look in a readme.txt file for instructions

The ransomware distributes a decryption tool named decrypt_withlog.exe (also detected as Ransom:Win32/Troldesh.A) which is a command-line tool that looks for the file key.txt in the same directory where the tool is run. It’s like the key.txt file is sent by the malware author after receiving payment from the victim.

The tool is shown in Figure 5.

Command line decryption tool

Figure 5: decrypt_withlog.exe

Geographic distribution

Detections for Troldesh are seen mostly in Russia and Ukraine. Brazil and Turkey are the third and fourth countries with the most Troldesh detections, although after Ukraine the number of detections falls off greatly.

All other regions have less than one percent of the total detection count, as shown in Figure 6.

Pie chart showing the greatest region with Troldesh infections is Russia, with 80.80% of infecitons

Figure 6: Troldesh distribution

Over the past year, the distribution and rate of infection has remained static, shown in the following video:


Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you’ve already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Use cloud protection

The Microsoft Active Protection Service (MAPS) uses cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Marianne Mallen

Comments (3)

  1. Stefan Kanthak says:

    As usual your recommendations are missing the simplest and MOST effective method to defend against malware: SAFER alias software restriction policies.
    After you set SAFERs default rule to "Deny" and allow execution only in %SystemRoot% and %ProgramFiles% ALL threats/malware which tries to run executables dropped in user-writable locations like %APPDATA% fails.
    Cf. http://mechbgon.com/srp/ or
    http://home.arcor.de/skanthak/SAFER.html for instructions resp. ready-to-run scripts to setup SAFER

  2. fhightower says:

    What is the scale of the y axis of fig. 1?

  3. Tebogo says:

    I have been attached by the same malware. My PC froze for a few seconds as I was working, and all my files had .xbtl extensions afterwards. How do I deal with the malware? Can my files be recovered?

Skip to main content