In past few years, many of the ransomware infections and malware had been falling-off. However, there are some ransomware families that survived and still in action. Ransom.Troldesh aka ‘Shade’ is one the survivals that is back to target new users. According to the sources, Troldesh ransomware is rapidly spreading its wings from the second half of 2018 and still active in 2019.
Image Source: Uninstall Malware From PC
This shady ransomware is one of the threats that users need to look out in 2019. So, let’s check out how shade spreads? What are the symptoms? How to prevent it?
Also Read: Astaroth Trojan: Everything You Need To Know
How Shade Spreads?
Troldesh was first recognized in 2014 and since then it is playing hide and seek. The vector has majorly come into the play with malspam like phishing attacks. Hackers are sending malicious email attachments and link to target people.
The malware itself is offered as a download in corrupted zip file. When user accesses the file or perform download, then JavaScript also downloads the malicious payload along with it. The payload is mostly hosted on websites with the compromised CMS (Content Management System).
Image Source: SANS Internet Storm Center
The Shade emails are often spoofed. The Troldesh target uses phishing campaign to target the victims. As the ransom notes of Troldesh is written in English & Russian, so the origin of Shade is considered as Russian. Mostly shade is interested in Windows Operating System.
If you have received the malicious attachment or Shade link in your email and you haven’t unzipped the file then you won’t become a victim. To get infected, you need to unzip the zip by double-clicking on the JavaScript file.
What Are the Symptoms?
Once the Troldesh ransomware is installed on the system, it drops the end number of readme files (.txt files) on the same machine. After following the encryption process, the motive of shade to ensure user/victim is reading the ransom message. These files contain the same ransom notes in each file.
The normal targeted file extension are like .odm, .j2c, .asm, .m1v, .j2k, .iqy, .jps, .ods, .odb, .obj, .potm, .pdd, .pot, .dpx, .ics, .icb, .php5, .pcx, .slk, .shtml, .sdpx, .tbx, .wpd, .wmv, .wml, .wim, .vtml, .vtx, .wav, .wbm, .wbmp, .vsd, .vtm, .vst, .vrp, .wmf, .dc3, .tiff, .tbk, .vcs, .torrent, .tdi, .u3d, .tld, .thmx, .tif, .asmx, .avs, .asa, .arw, .asx, .avs, .backup, .as, .db, .djvu, .dcm, .dc3, .dat, .doc, .dib, .docm, .dbx.
How Does Encryption Work?
All the files are encrypted by using the AES 256 in Cipher Block Chaining mode. For each encrypted file, there are two random 256-bit AES keys which is generated. The first key is used for file content, wherein the second encryption key is used for encrypting the name of the file. All above-mentioned extension names are added after then encryption of the filename.
Also Read: Phishing Attack That Is Nearly Impossible To Detect, Separ Malware!
How to Prevent Troldesh Ransomware?
As precaution is always better than the cure, it is recommended to take the required security measure to prevent such attacks.
- Always take a backup of your vital files.
- Keep your system and software updated because updating your tool on the regular bases can easily help you to plug up vulnerabilities.
- Before access or downloading the attachments, it is important to scan the emails and attached links.
- Use anti-malware and antivirus tools.
- Blacklist wscript.exe. usually does not require users to run scripts. So, you can use blacklisting feature to ensure your safety.
- Conduct Cybersecurity training programs. Awareness of the latest threat and attacks helps you to protect your machine by patching the loopholes. Owner of the organization should conduct training programs or informative email to its employees to stay safe.
You can take the security aspects seriously and regularly run a scan to identify the system and software vulnerabilities. You can also contact professional security providers to detect loopholes and help you with their remedies.
Quick Reaction:
Leave a Reply