{"id":14771,"date":"2019-03-06T09:10:13","date_gmt":"2019-03-06T17:10:13","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/03\/06\/news-8520\/"},"modified":"2019-03-06T09:10:13","modified_gmt":"2019-03-06T17:10:13","slug":"news-8520","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/03\/06\/news-8520\/","title":{"rendered":"Spotlight on Troldesh ransomware, aka ‘Shade’"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Wed, 06 Mar 2019 16:00:00 +0000<\/strong><\/p>\n

Despite\u00a0the decline in the number of ransomware infections over the last year, there are several ransomware families that are still active. Ransom.Troldesh<\/a>, aka Shade, is one of them. According to our product telemetry, Shade has experienced a sharp increase in detections from Q4 2018 to Q1 2019.<\/p>\n

When we see a swift spike in detections of a malware family, that tells us we\u2019re in the middle of an active, successful campaign. So let\u2019s take a look at this \u201cshady\u201d ransomware to learn how it spreads, what are its symptoms, why it\u2019s dangerous to your business, and how you can protect against it.<\/p>\n

\"Troldesh<\/a><\/p>\n

Troldesh spiked in February 2019<\/em><\/p>\n<\/div>\n

Infection vector<\/h3>\n

Troldesh, which has been around since 2014, is typically spread by malspam\u2014specifically malicious email attachments. The attachments are usually zip files presented to the receiver as something he \u201chas to\u201d open quickly. The extracted zip is a Javascript that downloads the malicious payload (aka the ransomware itself). The payload is often hosted on sites with a compromised Content Management System (CMS)<\/a>.<\/p>\n

\"Troldesh<\/a><\/p>\n

Part of the obfuscated Troldesh Javascript<\/em><\/p>\n<\/div>\n

As the sender in Troldesh emails is commonly spoofed<\/a>, we can surmise that the threat actors behind this campaign are phishing<\/a>, hoping to pull the wool over users\u2019 eyes in order to get them to open the attachment.<\/p>\n

The origin of Troldesh is believed to be Russian because its ransom notes are written in both Russian and English.<\/p>\n

\"Troldesh<\/a><\/p>\n

Target systems are running Windows OS. Victims will have to unzip the attachment and double-click the Javascript file to get the infection started.<\/p>\n

Ransomware behavior<\/strong><\/h3>\n

Once deployed, the ransomware drops a lot of numbered readme#.txt files on the infected computer after the encryption routine is complete, most likely to make sure that the victim will read at least one of them. These text files contain the same message as the ransom note.<\/p>\n

Targeted file extensions<\/h4>\n

Troldesh looks for files with these extensions on fixed, removable, and remote drives:<\/p>\n

.1cd, .3ds, .3fr, .3g2, .3gp, .7z, .accda, .accdb, .accdc, .accde, .accdt, .accdw, .adb, .adp, .ai, .ai3, .ai4, .ai5, .ai6, .ai7, .ai8, .anim, .arw, .as, .asa, .asc, .ascx, .asm, .asmx, .asp, .aspx, .asr, .asx, .avi, .avs, .backup, .bak, .bay, .bd, .bin, .bmp, .bz2, .c, .cdr, .cer, .cf, .cfc, .cfm, .cfml, .cfu, .chm, .cin, .class, .clx, .config, .cpp, .cr2, .crt, .crw, .cs, .css, .csv, .cub, .dae, .dat, .db, .dbf, .dbx, .dc3, .dcm, .dcr, .der, .dib, .dic, .dif, .divx, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .dpx, .dqy, .dsn, .dt, .dtd, .dwg, .dwt, .dx, .dxf, .edml, .efd, .elf, .emf, .emz, .epf, .eps, .epsf, .epsp, .erf, .exr, .f4v, .fido, .flm, .flv, .frm, .fxg, .geo, .gif, .grs, .gz, .h, .hdr, .hpp, .hta, .htc, .htm, .html, .icb, .ics, .iff, .inc, .indd, .ini, .iqy, .j2c, .j2k, .java, .jp2, .jpc, .jpe, .jpeg, , .jpf, .jpg, .jpx, .js, .jsf, .json, .jsp, .kdc, .kmz, .kwm, .lasso, .lbi, .lgf, .lgp, .log, .m1v, .m4a, .m4v, .max, .md, .mda, .mdb, .mde, .mdf, .mdw, .mef, .mft, .mfw, .mht, .mhtml, .mka, .mkidx, .mkv, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mpv, .mrw, .msg, .mxl, .myd, .myi, .nef, .nrw, .obj, .odb, .odc, .odm, .odp, .ods, .oft, .one, .onepkg, .onetoc2, .opt, .oqy, .orf, .p12, .p7b, .p7c, .pam, .pbm, .pct, .pcx, .pdd, .pdf, .pdp, .pef, .pem, .pff, .pfm, .pfx, .pgm, .php, .php3, .php4, .php5, .phtml, .pict, .pl, .pls, .pm, .png, .pnm, .pot, .potm, .potx, .ppa, .ppam, .ppm, .pps, .ppsm, .ppt, .pptm, .pptx, .prn, .ps, .psb, .psd, .pst, .ptx, .pub, .pwm, .pxr, .py, .qt, .r3d, .raf, .rar, .raw, .rdf, .rgbe, .rle, .rqy, .rss, .rtf, .rw2, .rwl, .safe, .sct, .sdpx, .shtm, .shtml, .slk, .sln, .sql, .sr2, .srf, .srw, .ssi, .st, .stm, .svg, .svgz, .swf, .tab, .tar, .tbb, .tbi, .tbk, .tdi, .tga, .thmx, .tif, .tiff, .tld, .torrent, .tpl, .txt, .u3d, .udl, .uxdc, .vb, .vbs, .vcs, .vda, .vdr, .vdw, .vdx, .vrp, .vsd, .vss, .vst, .vsw, .vsx, .vtm, .vtml, .vtx, .wb2, .wav, .wbm, .wbmp, .wim, .wmf, .wml, .wmv, .wpd, .wps, .x3f, .xl, .xla, .xlam, .xlk, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xps, .xsd, .xsf, .xsl, .xslt, .xsn, .xtp, .xtp2, .xyze, .xz, and .zip<\/p>\n

Encryption<\/h4>\n

Files are encrypted using AES 256 in CBC mode<\/a>. For each encrypted file, two random 256-bit AES keys are generated: One is used to encrypt the file\u2019s contents, while the other is used to encrypt the file name. The extensions mentioned above are added after the encryption of the filename.<\/p>\n

Protect against Troldesh<\/h3>\n

Malwarebytes users can block Ransom.Troldesh through several different protection modules, which are able to stop the ransomware from encrypting files in real time.<\/p>\n

Real-time protection against the files in our definitions stops the ransomware itself:<\/p>\n

\"real<\/a><\/p>\n

Our anti-exploit and anti-ransomware modules block suspicious behavior:<\/p>\n

\"Malwarebytes<\/a><\/p>\n

Meanwhile, Malwarebytes’ malicious website protection blocks compromised sites:<\/p>\n

\"Web<\/a><\/p>\n

Other methods of protection<\/h3>\n

There are some security measures you can take to avoid getting to the phase where protection has to kick in or files need to be recovered.<\/p>\n