Types header

Name xbtl
Type Crypto-Ransomware
Encryption Type  AES256
Short Description This comes under Crypto-Ransomware variant. The origin of this is said to be from Russia and from there it is spread all over the world. There are various names for this ransomware they are Troldesh”, aka Encoder.858 or Shade.
Symptoms  File become inaccessible
Distribution Method This ransomware is spread basically through E-mail, Using Exploit kit.
Image  shade xbtl
More Details

This showed up on early part of 2015 and became more prevalent during June 2015. The troldesh detection over 2015 graphical representation is as given below:


The exact reason for the sudden spike is not enclosed so far but it is said that it might be because of the AXPERGLE or NECLU exploit kits .

The troldesh infection chain has 3 steps:

  1. Using Exploit kits (AXPERGLE or NECLU)
  2. Compromised website that allows the exploit code onto the machine.
  3. After the code is Injected onto the machine the vulnerability on the machine is exploited allowing the malware to download and install Troldesh.

The AXpergle variant drops the following two files :

The Installation Process:

The Troldesh Creates these files in the infected system:

  • %APPDATA%\windows\csrss.exe – copy of the malware
  • %TEMP%\state.tmp – temporary file used for the encryption

Whenever the system is restarted it changes the following registry entry so that it will run each time.

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: “Client Server Runtime Subsystem”
With data: ” %APPDATA%\windows\csrss.exe “

Just like other ransomware , This holds files by encrypting them and renaming extension to .xbtl or .cbtl.

Ransom Transaction:

   In this ransomware the payment method is face to face. The victim is asked to mail to the author for further instruction.

The ransomware ditriubutes a decryption tool As decrypt_withlog.ece. This is a command line tool that searches the file key.txt in same directory where the tool is running , It will be like key.txt.


Mostly this ransomware was seen in Russia and Ukraine followed by brazil and Turkey. Other regions just have less than one percent of total detection count. The graphical representation for the distribution is as given below.