{"id":6326,"date":"2017-01-23T15:50:22","date_gmt":"2017-01-23T23:50:22","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-164\/"},"modified":"2017-01-23T15:50:22","modified_gmt":"2017-01-23T23:50:22","slug":"news-164","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-164\/","title":{"rendered":"Troldesh ransomware influenced by (the) Da Vinci code"},"content":{"rendered":"<p>We at the MMPC are constantly tracking new and emerging ransomware threats so we can be one step ahead of active campaigns and help protect our users. As part of these efforts, we recently came across a new variant of the <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Troldesh\">Win32\/Troldesh<\/a> ransomware family.<\/p>\n<p>Ransomware, like most malware, is constantly trying to change itself in an attempt to evade detection. In this case, we\u2019ve seen the following updates to Troldesh:<\/p>\n<ul>\n<li>Tor functionality<\/li>\n<li>Glyph\/symbol errors on the wallpaper ransom note<\/li>\n<li>Modified extension names for encrypted files<\/li>\n<li>New malware being delivered (<a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Trojan:Win32\/Mexar.A\">Trojan:Win32\/Mexar.A<\/a>)<\/li>\n<li>Updates the ransom note to cover the Tor functionality<\/li>\n<\/ul>\n<p>The biggest change in this update is the addition of Tor links. Using Tor addresses as the ransom payment method (as opposed to standard www addresses) is the current fashion among ransomware.<\/p>\n<p>The ransom note now includes links to the Tor address (previously, the only method provided for obtaining decryption was an email address):<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/note-tor.png\"><img loading=\"lazy\" decoding=\"async\" width=\"879\" height=\"722\" class=\"aligncenter size-full wp-image-8066\" alt=\"The ransom note now includes onion.to addresses for payment\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/note-tor.png\" \/><\/a><\/p>\n<p>However, upon investigation it appears that Tor has blocked the address:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/blocked.png\"><img loading=\"lazy\" decoding=\"async\" width=\"585\" height=\"675\" class=\"aligncenter size-full wp-image-8065\" alt=\"Screenshot showing that the Troldesh payment site has been blocked by Tor\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/blocked.png\" \/><\/a><\/p>\n<p>Errors have been introduced into the image that replaces the user\u2019s desktop wallpaper (this occurred to several samples, but not all):<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/troldesh-wallpaper-errors.png\"><img loading=\"lazy\" decoding=\"async\" width=\"863\" height=\"650\" class=\"aligncenter size-full wp-image-8085\" alt=\"Errors and unknown symbols have been seen in some versions of the wallpaper - the symbols look like blank boxes and random characters\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/troldesh-wallpaper-errors.png\" \/><\/a><\/p>\n<p>After encryption, Troldesh changes the file\u2019s extension. In the latest update, we\u2019ve seen it use the following strings:<\/p>\n<ul>\n<li>.da_vinci_code<\/li>\n<li>.magic_software_syndicate<\/li>\n<\/ul>\n<p>For example, an encrypted file might appear as follows:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/troldesh-extension.png\"><img loading=\"lazy\" decoding=\"async\" width=\"971\" height=\"63\" class=\"aligncenter size-full wp-image-8075\" alt=\"A file name that is a series of random characters and ends in .da_vinci_code\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/troldesh-extension.png\" \/><\/a><\/p>\n<p>The list of file types that Troldesh encrypts has also increased \u2013 see the\u00a0<a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Troldesh\">Win32\/Troldesh<\/a> description for a full list.<\/p>\n<h2>Prevention<\/h2>\n<p>To help stay protected:<\/p>\n<ul>\n<li>Keep your Windows Operating System and antivirus <a href=\"http:\/\/www.microsoft.com\/security\/portal\/mmpc\/help\/updatesoftware.aspx\">up-to-date<\/a> and, if you haven\u2019t already, upgrade to <a href=\"https:\/\/www.microsoft.com\/en-us\/windows\/windows-10-upgrade\">Windows 10<\/a>.<\/li>\n<li>Regularly back-up your files in an external hard-drive<\/li>\n<li>Enable file history or system protection. On Windows 10 and Windows 8.1, <a target=\"_blank\" href=\"https:\/\/support.microsoft.com\/en-au\/help\/17128\/windows-8-file-history\">set up a drive for file history<\/a><\/li>\n<li>Use OneDrive for Business<\/li>\n<li>Beware of <a href=\"https:\/\/blogs.technet.microsoft.com\/office365security\/how-to-review-and-mitigate-the-impact-of-phishing-attacks-in-office-365\/\">phishing emails<\/a>, spams, and clicking malicious attachment<\/li>\n<li><a href=\"https:\/\/blogs.windows.com\/msedgedev\/2015\/12\/16\/smartscreen-drive-by-improvements\/\">Use Microsoft Edge to get SmartScreen protection<\/a>. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/02\/24\/locky-malware-lucky-to-avoid-it\/\">Disable the loading of macros in your Office programs<\/a><\/li>\n<li>Disable your Remote Desktop feature whenever possible<\/li>\n<li>Use two factor authentication<\/li>\n<li>Use a safe Internet connection<\/li>\n<li>Avoid browsing web sites that are known for being malware breeding grounds (such as illegal music, movies and TV, and software download sites)<\/li>\n<\/ul>\n<h2>Detection<\/h2>\n<ul>\n<li>Ensure your antimalware protection (such as <a href=\"http:\/\/windows.microsoft.com\/en-us\/windows\/using-defender#1TC=windows-10\">Windows Defender<\/a>) is up-to-date and working correctly.<\/li>\n<li>Enable <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2015\/01\/14\/maps-in-the-cloud-how-can-it-help-your-enterprise\/\">Microsoft Active Protection Service (MAPS)<\/a> to get the latest cloud-based ransomware detection and blocking.<\/li>\n<\/ul>\n<h2>Recovery<\/h2>\n<p>In the Office 365 \u201c<a href=\"https:\/\/blogs.technet.microsoft.com\/office365security\/how-to-deal-with-ransomware\/\">How to deal with ransomware<\/a>\u201d blog, there are several options on how you might be able to remediate or recover from a ransomware attack, including <a href=\"http:\/\/windows.microsoft.com\/en-US\/windows-8\/how-use-file-history\">backup and recovery using File History in Windows 10<\/a> and <a href=\"http:\/\/windows.microsoft.com\/en-us\/windows\/previous-versions-files-faq\">System Restore in Windows 7<\/a>.<\/p>\n<p>You can also use OneDrive and SharePoint to backup and restore your files:<\/p>\n<ul>\n<li>OneDrive for Business and SharePoint:\n<ul>\n<li><a href=\"https:\/\/support.office.com\/en-us\/article\/Restore-a-previous-version-of-a-document-in-OneDrive-for-Business-159cad6d-d76e-4981-88ef-de6e96c93893\">Restore a previous version of a document in OneDrive for Business<\/a><\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/akieft\/2012\/01\/09\/restore-options-in-sharepoint-online\/\">Restore Option in SharePoint Online<\/a><\/li>\n<\/ul>\n<\/li>\n<li>OneDrive for home users:\n<ul>\n<li><a href=\"https:\/\/support.office.com\/en-us\/article\/Find-lost-or-missing-files-in-OneDrive-0d929e0d-8682-4295-982b-4bd75a3daa01\">Find lost or missing files in OneDrive<\/a><\/li>\n<li><a href=\"https:\/\/support.office.com\/en-us\/article\/Delete-or-restore-files-and-folders-949ada80-0026-4db3-a953-c99083e6a84f\">Delete or restore files and folders<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><em>\u00a0<\/em><em>\u00a0<\/em><\/p>\n<p><em>Patrick Estavillo<br \/> MMPC<\/em><\/p>\n<p><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/07\/13\/troldesh-ransomware-influenced-by-the-da-vinci-code\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We at the MMPC are constantly tracking new and emerging ransomware threats so we can be one step ahead of active campaigns and help protect our users. As part of these efforts, we recently came across a new variant of the Win32\/Troldesh ransomware family. Ransomware, like most malware, is constantly trying to change itself in&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[10760,10831,3765,10917,10918,10916,10888,10889,10919,10920,10761,10921],"class_list":["post-6326","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-antimalware-research-for-it-pros-and-enthusiasts","tag-mmpc","tag-ransomware","tag-ransomware-backup-and-recovery","tag-ransomware-da-vinci-code","tag-ransomware-mitigation","tag-ransomware-prevention","tag-ransomware-recovery","tag-trojanwin32mexar-a","tag-win32troldesh","tag-windows-10","tag-windows-update"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6326","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6326"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6326\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6326"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}