Group-IB experts warn users of increased activity of the Troldesh (Shade) encryption virus. The attackers’ goal is to launch a program on the company’s local network, encrypt files and request a ransom.
During the previous attacks , botnet operators sent letters on behalf of banks and retail companies. Now there is a mass mailing on behalf of employees of major airlines (for example, Polar Airlines), car dealers (Rolf) and from the media (RBC, Novosibirsk-online).
In the second quarter of 2019, Group-IB discovered more than 6,000 phishing emails containing Troldesh. At the moment, the campaign of sending out an extortionist virus is active (in June, about 1,100 phishing emails were registered).
Sample of the first version of the Troldesh cryptographer (Shade), 2015.
In the text of phishing emails, attackers introduce themselves as employees of companies and ask to open the attached file. This is an archive that supposedly contains the details of the order. All return addresses are fake. Distribution is carried out through the leased botnet, which includes not only normal servers, but also infected IoT devices, for example, routers.
Malefactors considerably varied the list of the return addresses. They are increasingly being represented by employees of companies from various industries – retail, oil and gas, construction, aviation, recruitment and media. Mailing on behalf of banks is also used, but in the form of personal letters from top managers.
Troldesh is an old cryptographer, first seen back in 2015. It is also known as Shade, XTBL, Trojan.Encoder.858, Da Vinci and No_more_ransome. Attackers regularly change the packer and successfully bypass anti-virus protection. By the end of 2018, Troldesh entered the top 3 most popular encryption viruses, along with RTM and Pony.
The Troldesh control center is located on the Tor network and constantly changes the domain address, which makes it difficult to block it.
Troldesh is sold and leased at specialized sites on the darknet, in connection with which the virus constantly acquires new functionality and changes the way it spreads. Recent campaigns with Troldesh have shown that now it not only encrypts files, but also mines cryptocurrency and generates traffic to websites to increase traffic and income from online advertising.
On the forums where the victims communicate, they say that there is no way to save the encrypted files, that is, the program is written quite competently from a cryptographic point of view.
Kaspersky Lab distributes the Shade Decryptor decoder for free, but it only helps against the first and second versions of the cryptographer.
Prevention against infection standard:
- Download programs only from trusted sources;
- do not open suspicious email attachments;
- do not follow dubious links;
- make backup copies of important files that are stored separately.
Shade is not only a cryptographer, there are versions that also scan an infected device, and if it is fixed that it has access to accounting systems, additional malware is installed for remote access, says the head of the research and detection of complex threats Kaspersky Labs »Anton Ivanov.
With this software, attackers make attempts to withdraw money from the account. The expert confirmed that there is no decoder for the latest version of Shade.