Troldesh (detected as variants of Win32/Troldesh) started to show up in the early part of 2015 and became more prevalent in June this year. Overall detections have so far lessened in July – except for a notable spike around the 8th of the month, shown in Figure 1.
Figure 1: Troldesh detections over the past four months
Axpergle or Neclu is a known distributor of Troldesh and plays a role in its distribution and infection chain, as illustrated in Figure 2.
Figure 2: Troldesh infection chain
The Axpergle and Nuclear kits, like most other exploit kits, check for vulnerabilities on the target machine and uses them to deploy malware that downloads and installs Troldesh.
In particular, we’ve seen the Axpergle variant Exploit:HTML/Axpergle.N drop the following two files:
Troldesh creates the following files:
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: “Client Server Runtime Subsystem”
With data: ” %APPDATA% \windows\csrss.exe “
Like other ransomware, it holds files ransom by encrypting them and renaming the file extensions to .xbtl or .cbtl.
The payment method relies on a tried and true form of communication: by requesting the victim send an email to the malware author to get further instructions. A sample of the request is in Figure 3.
Figure 3: Sample ransom request
This is also how Ransom:Win32/Teerac conducted the transaction request, before jumping on the bandwagon that has previously been used by other ransomware families: using the Tor network for transactions.
In June, a researcher from Check Point attempted to negotiate the price with the malware’s author, asking for a discounted price to retrieve decryption for the files.
Troldesh replaces the desktop wallpaper with a message that the files on the disk have been encrypted, both in Russian and English, showing in Figure 4.
The ransomware distributes a decryption tool named decrypt_withlog.exe (also detected as Ransom:Win32/Troldesh.A) which is a command-line tool that looks for the file key.txt in the same directory where the tool is run. It’s like the key.txt file is sent by the malware author after receiving payment from the victim.
The tool is shown in Figure 5.
Figure 5: decrypt_withlog.exe
Detections for Troldesh are seen mostly in Russia and Ukraine. Brazil and Turkey are the third and fourth countries with the most Troldesh detections, although after Ukraine the number of detections falls off greatly.
All other regions have less than one percent of the total detection count, as shown in Figure 6.
Figure 6: Troldesh distribution
Over the past year, the distribution and rate of infection has remained static, shown in the following video:
Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.
If you’ve already paid, see our ransomware page for help on what to do now.
Run antivirus or antimalware software
Use the following free Microsoft software to detect and remove this threat:
- Windows Defender for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
You should also run a full scan. A full scan might find hidden malware.
Use cloud protection
The Microsoft Active Protection Service (MAPS) uses cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender.
Get more help
If you’re using Windows XP, see our Windows XP end of support page.