Troldesh Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 100 % (High) |
Infected Computers: | 1 |
First Seen: | June 3, 2015 |
Last Seen: | June 16, 2020 |
OS(es) Affected: | Windows |
The Troldesh Ransomware is a ransomware infection that was created in Russia. The Troldesh Ransomware is a new threat released in 2015. The Troldesh Ransomware is also known as Encoder.858 and Shade and has been responsible for threat attacks all around the world. The Troldesh Ransomware carries out a similar attack to most encryption threats; the Troldesh Ransomware encrypts the victim's files and then demands payment of a ransom in order to decrypt the files (hence the term 'ransomware'). The Troldesh Ransomware appends the XTBL extension to the end of all the encrypted files. The most common distribution method for the Troldesh Ransomware is through spam email messages containing infected attachments or links.
Table of Contents
The Characteristics of the Troldesh Ransomware Attack
One particular characteristic of the Troldesh Ransomware is that the people responsible for the Troldesh Ransomware will communicate directly with victims of these attacks. Although most ransomware attacks use an online page, often through TOR and automated payment methods, the Troldesh Ransomware provides an email address through which third parties communicate with the victim directly and establish the ransom and payment method. This has led to curious situations where victims establish direct conversations with their attackers, negotiating the ransom amount and even obtaining discounts based on this direct correspondence.
How the Troldesh Ransomware Attacks a Computer
The main method of the Troldesh Ransomware attack is encrypting the victim's data and then demanding payment of a ransom to obtain the decryption key. Once the victim's files have been encrypted, the Troldesh Ransomware will display a message on the victim's computer with instructions for payment and the Troldesh Ransomware will rename all the files. This adds an additional layer of inconvenience to the attack, since the Troldesh Ransomware will replace the files' names with random characters and add the XTBL extension. The Troldesh Ransomware will drop text files on the victim's computer with the same payment instructions. The Troldesh Ransomware will drop about twenty copies of the text file on the victim's desktop as well as a copy of this text file on each of the folders containing encrypted files.
Through the dropped text files, the victim is instructed to send a specific code to an included email address. Essentially, the Troldesh Ransomware attacks may have the following characteristics:
- The Troldesh Ransomware attack displays a warning message on the victim's computer.
- The Troldesh Ransomware replaces files on the victim's computer with encrypted copies in XTBL format.
- The Troldesh Ransomware drops text files on the victim's computer. These text files contain information on the attack and contact information for the attackers.
There’s a Real Person on the Other Side of the Troldesh Ransomware Contact Link
After sending the code to the specified email address, computer users will receive an answer with additional instructions. The attackers will instruct the victim to send one of the encrypted files to prove that they can actually decrypt them. This is not an automated answer, unlike most other encryption threats. Prompts to start a conversation have led to real answers, demanding payment in rubles. PC security researchers have negotiated successfully with the attackers. This gives insight into these types of attacks. When dealing with threats, computer users, and PC security researchers may get caught up in the obfuscation and attack methods of these types of threat infections. It is easy to forget that there are always real people behind these attacks, unscrupulous attackers that have no qualms about harassing and attacking computer users in order to turn a profit. Threat attacks may be about manipulating people, rather than technological advances. Social engineering is the single most popular and powerful way of distributing threats. Despite the encryption methods of the Troldesh Ransomware attack, it is easy to forget that the Troldesh Ransomware is distributed using spam email messages that trick inexperienced computer users, using social engineering, to download and install the Troldesh Ransomware in the first place.