Digital attackers are using multiple compromised websites in order to distribute samples of the Troldesh ransomware family.

Sucuri Security observed malicious emails and services like social media spreading a URL in the form of a PHP file. Once clicked, the URL downloaded a JScript file to a victim’s downloader. This file, which specifically targeted Windows OS, arrived with the filename “Details of the order of JSC Airline Ural Airlines” translated into Russian, which suggests that digital attackers might have spoofed the airline in an attempt to trick customers.

The JScript file was a host-based malware dropper that began prepping the computer for the download of a Troldesh ransomware executable file. Towards that end, the file arrived with the variables NH and LC that contained the URLs of at least two compromised websites hosting the ransomware. The file then used that information to deploy the ransomware payload on the victim’s machine.

As quoted by Sucuri Security in its research:

If your AV or anti-malware software doesn’t block the execution, the ransomware begins the process of encrypting your files by using two separate keys—one key encrypts the filenames and the other encrypts the actual file contents. This dissuades victims from attempting decryption, as it increases the difficulty to do so.

Desktop after ransomware executable is loaded. (Source: Sucuri Security)

Troldesh gathered data about the infected system during its encryption routine and then used TOR connections to exfiltrate that data.

Claroty

Additionally, the ransomware included a TOR .onion URL in the README.txt file that functions as a feedback form. This page acted as a means for a victim to contact the attackers if they had trouble reaching them through their email.

Security professionals can help protect their organizations against ransomware samples like Troldesh by personalizing anti-spam settings, educating employees of phishing attacks (Read more...)