Troldesh Ransomware  - Troldesh Ransomware - Troldesh Ransomware Spreading Via Weaponized Word Document

emerges again and spreads all over the world. The crypto- variant was created in Russia, the previous variant of the encrypts the files and appends “.xtbl” extension whereas the new variant adds “.no_more_ransom” extension.

Quick heal labs observed the ransomware is distributed by actors through RDP Brute-force , Spam and phishing emails and Exploit Kits.

Threat actors targeting the RDP default port 3389 and launches a Brute-force Attack to obtain login credentials, if the attacker’s gains control over the system they directly execute the payload on the victims.

Another method is through spam or phishing emails that download the macro embedded or the payload itself directly.

Troldesh Ransomware Infection Process

Once the malicious payload file executed it copies itself to the location “ AppDataRoaming “ and deletes the downloaded file and executes the copy of the payload from the AppData location.

The payload executes and launch a scheduled task and creates a task in name Encrypter and it has been scheduled to run every 1 minute, with a wait time of 1 hour and execution limit time limit of 72 hours.

“C:WindowsSystem32schtasks.exe” /Create /SC MINUTE /TN Encrypter /TR 
C:Usersuser_nameAppDataRoaminginfo.exe

Quick Heal also spotted that the malicious payload also contains an Anti-debugging identifier to check that it is running under the control of a debugger.

Once the malicious payload gets executed it encrypts the file present in the system and appends “.no_more_ransom” extension and shows the following ransom note.

Troldesh Ransomware  - Ransomware - Troldesh Ransomware Spreading Via Weaponized Word Document

In the second quarter of 2018 and the ransomware returns back with new versions of  GandCrabSigma, and GlobeImposter campaigns.

Cyber threats such as ransomware main task are to infect your computer and lock your files and Demand the ransom amount. Scan all your emails for malicious links, content, attachment and Segregate the physical and logical network to minimize the infection vector.

Also Read

Organization Cyber Disaster Recovery Plan Checklist

Best Way to Accelerate and Secure Your Website From Top Common Web Threats

Simple and Best Ways to Protect Your Windows Computer From Cyber Attack



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here