|Short Description||This comes under Crypto-Ransomware variant. The origin of this is said to be from Russia and from there it is spread all over the world. There are various names for this ransomware they are Troldesh”, aka Encoder.858 or Shade.|
|Symptoms||File become inaccessible|
|Distribution Method||This ransomware is spread basically through E-mail, Using Exploit kit.|
This showed up on early part of 2015 and became more prevalent during June 2015. The troldesh detection over 2015 graphical representation is as given below:
The exact reason for the sudden spike is not enclosed so far but it is said that it might be because of the AXPERGLE or NECLU exploit kits .
The troldesh infection chain has 3 steps:
The AXpergle variant drops the following two files :
The Installation Process:
The Troldesh Creates these files in the infected system:
Whenever the system is restarted it changes the following registry entry so that it will run each time.
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Just like other ransomware , This holds files by encrypting them and renaming extension to .xbtl or .cbtl.
In this ransomware the payment method is face to face. The victim is asked to mail to the author for further instruction.
The ransomware ditriubutes a decryption tool As decrypt_withlog.ece. This is a command line tool that searches the file key.txt in same directory where the tool is running , It will be like key.txt.
Mostly this ransomware was seen in Russia and Ukraine followed by brazil and Turkey. Other regions just have less than one percent of total detection count. The graphical representation for the distribution is as given below.