“Troldesh’s” One More Variant in the Encryption Offender

  • 22

Over the past few days, we have been observing criminals/hackers using a new carrier to deliver the ransomware malware. Recently, Quick Heal Security Labs observed a new variant of Troldesh ransomware which encrypts the data and adds the extension as “.no_more_ransom”. This ransomware comes under Crypto-Ransomware variant, the origin of this is said to be from Russia and from there it is spread all over the world. There are various names for this ransomware they are Troldesh, aka Encoder.858 or Shade.

Infection Vector

It has been observed that this ransomware is spread basically through

  1. RDP Brute-force Attack
  2. Spam and phishing emails
  3. Exploit Kits

In RDP Brute-force Attack, the Remote Desktop Protocol (RDP) running on port 3389 is targeted with a typical brute force attack. As a result the attacker gets hold of victim’s administrative user credentials and then it executes the ransomware payload on the victim’s system to infect the data.

In spam or phishing emails, users receive emails which will lead to phishing sites that will download a macro based word document/js file or malicious payload directly. Another way is directly attaching a document inside the email or sometimes attaching a compressed file having a malicious payload file.

Payload Analysis

When the malicious file gets executed it drops the copy of itself at the below location “ AppData\Roaming\ “. Once it drops its copy it deletes the actual payload from where it has been executed and then executes the payload from Appdata location.

The actual payload contains the below command which is used to create the self copy at Appdata location,when malicious payload is executed it launches the schtasks.exe(Schedule Tasks) with the below command which creates a task named as Encrypter :

“C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /TN Encrypter /TR C:\Users\user_name\AppData\Roaming\info.exe


/SC MINUTE : Specifies the schedule type.

/TN ENCRYPTER : Specifies a name for the task.

/tr C:\Users\XXXX\AppData\Roaming\info.exe : Specifies the program or command that the task runs.

Fig 1 : Process Execution

The payload has been scheduled to run after every 1 min, it has a wait time of 1 hour and execution time limit of 72 hours. Once the ransomware payload gets executed it then encrypts the file and adds the extension as “ .no_more_ransom”.

Fig 2: Created Task

Fig 3: Task Details

During our analysis we have also found that the malicious payload also contains the Anti-debugging identifier which detects whether the calling process is being debugged by a user-mode debugger or not. Below image represents the example of the same, when the payload is executed and if any debugger is in running state then it gives the below prompt/error message.

Fig 5: Debugger Prompt/Error Message

Encryption Note

Quick Heal Detection

Quick Heal Virus Protection successfully detects and deletes malicious payload.

Fig 6: Virus Protection

Behaviors detection module of Quick Heal also detects the malicious payload by its behavior and successfully blocks/quarantines the malicious payload.

Fig 7: Behavior Detection

Anti-ransomware feature of Quick Heal detects the malicious payload.

Fig 8: Anti-Ransomware Detection.

Best practices to stay safe from such malware attacks

  • Do not download attachments or click on links received from unwanted or untrusted email sources.
  • Always turn on email protection of your antivirus software.
  • Don’t enable ‘macros’ or ‘editing mode’ upon execution of the document.
  • Keep your antivirus updated and ensure you are using the latest version.
  • Always keep a secure backup of your important data.
  • Apply all recommended updates on your Operating System and programs like Adobe, Java, Internet browsers, etc.
  • Ensure that your computer’s Automatic Updates are enabled.

We strongly advise our users to protect themselves by applying the below-mentioned firewall policies in Quick Heal firewall feature.

  • Deny access to Public IPs to important ports (in this case RDP port 3389)
  • Allow access to only IPs which are under your control.
  • Along with blocking RDP port, we also suggest blocking SMB port 445. In general, it’s advised to block unused ports.

Get more such safety measures here.


Subject Matter Expert:                                                   

Gulamgaus Shaikh, Ganesh Vetal, Mahendra KR   | Quick Heal Security Labs

Gulamgaus Shaikh

Gulamgaus Shaikh

No Comments, Be The First!

Your email address will not be published.