There is a mass mailing of the Troldesh cipher virus on behalf of Russian companies
Guide about There is a mass mailing of the Troldesh cipher virus on behalf of Russian companies. Group-IB experts of increased activity of the Trol...
In the second quarter of 2019, Group-IB discovered more than 6,000 phishing emails containing Troldesh. At the moment, the campaign of sending out an extortionist virus is active (in June, about 1,100 phishing emails were registered).
Sample of the first version of the Troldesh cryptographer (Shade), 2015.
In the text of phishing emails, attackers introduce themselves as employees of companies and ask to open the attached file. This is an archive that supposedly contains the details of the order. All return addresses are fake. Distribution is carried out through the leased botnet, which includes not only normal servers, but also infected IoT devices, for example, routers.
Malefactors considerably varied the list of the return addresses. They are increasingly being represented by employees of companies from various industries - retail, oil and gas, construction, aviation, recruitment and media. Mailing on behalf of banks is also used, but in the form of personal letters from top managers.
Troldesh is an old cryptographer, first seen back in 2015. It is also known as Shade, XTBL, Trojan.Encoder.858, Da Vinci and No_more_ransome. Attackers regularly change the packer and successfully bypass anti-virus protection. By the end of 2018, Troldesh entered the top 3 most popular encryption viruses, along with RTM and Pony.
The Troldesh control center is located on the Tor network and constantly changes the domain address, which makes it difficult to block it.
Troldesh is sold and leased at specialized sites on the darknet, in connection with which the virus constantly acquires new functionality and changes the way it spreads. Recent campaigns with Troldesh have shown that now it not only encrypts files, but also mines cryptocurrency and generates traffic to websites to increase traffic and income from online advertising.
Kaspersky Lab distributes the Shade Decryptor decoder for free, but it only helps against the first and second versions of the cryptographer.
Prevention against infection standard:
- Download programs only from trusted sources;
- do not open suspicious email attachments;
- do not follow dubious links;
- make backup copies of important files that are stored separately.
With this software, attackers make attempts to withdraw money from the account. The expert confirmed that there is no decoder for the latest version of Shade.
source: habr.ccom