We at the MMPC are constantly tracking new and emerging ransomware threats so we can be one step ahead of active campaigns and help protect our users. As part of these efforts, we recently came across a new variant of the Win32/Troldesh ransomware family.
Ransomware, like most malware, is constantly trying to change itself in an attempt to evade detection. In this case, we’ve seen the following updates to Troldesh:
The biggest change in this update is the addition of Tor links. Using Tor addresses as the ransom payment method (as opposed to standard www addresses) is the current fashion among ransomware.
The ransom note now includes links to the Tor address (previously, the only method provided for obtaining decryption was an email address):
However, upon investigation it appears that Tor has blocked the address:
Errors have been introduced into the image that replaces the user’s desktop wallpaper (this occurred to several samples, but not all):
After encryption, Troldesh changes the file’s extension. In the latest update, we’ve seen it use the following strings:
For example, an encrypted file might appear as follows:
The list of file types that Troldesh encrypts has also increased – see the Win32/Troldesh description for a full list.
To help stay protected:
In the Office 365 “How to deal with ransomware” blog, there are several options on how you might be able to remediate or recover from a ransomware attack, including backup and recovery using File History in Windows 10 and System Restore in Windows 7.
You can also use OneDrive and SharePoint to backup and restore your files:
Patrick Estavillo
MMPC