New variant of Troldesh Ransomware targets victims via compromised website URLs

• The newer variant initially downloads a JavaScript host file, which when executed, downloads the actual ransomware file.
• The threat actors use TOR for data transmission and communication with victims, and two malicious URLs for ransomware file delivery.

A new variant of the Troldesh ransomware is observing a rise in the past couple of weeks and spreading via compromised websites. The threat actors involved in spreading the malware trick victims into visiting malicious URLs by sending emails and messages on social media platforms.

How is the malware delivered?

According to security researchers from Sucuri, when someone clicks on the malicious URL, it completes loading the PHP file which in turn downloads a JavaScript file to the victims’ computer. This JavaScript file acts as a host-based malware dropper and prepares the process to download the actual ransomware file by infecting the victim’s computer.

Researchers also added that threat actors used at least two malicious URLs from compromised websites considering the case if one of them stops working, then the other should continue to perform the intended actions.

How do the threat actors trick victims?

After examining the JavaScript host file, researchers pointed out that the filename used by the JavaScript hist file was in the Russian language and translates to “Details of the order of JSC Airline Ural Airlines”. This clearly shows that the threat actors may have initially tried to spoof Ural Airlines customers, before spreading out to larger masses. However, the researchers added that malware activity and campaign do not have any relations with the Airline brand.

Which OS does the malware target?

The malware is found to target Windows OS, as it uses the JavaScript format files. The Troldesh malware executable files get stored carefully in the victims’ computer. Firstly, the malware executable script scans and acquires the important Windows OS system directories. Then the malware script generates a random directory to store the malicious executable files on the victims’ computer.

Antivirus detection rate

The report from the researchers pointed out that the Troldesh ransomware has a limited possibility of staying hidden inside the Windows file system. According to the report, the malicious JavaScript file that acts as the host has a 57% detection rate with antivirus software. Additionally, the actual ransomware file downloaded to the victims’ computer has a detection rate of 82%.

Encryption and Ransom Note

If the antivirus program installed on the victims’ computer does not detect the malicious host file or the ransomware executable file, then the ransomware starts encrypting files from the victims’ computer using a notable method.

• The ransomware uses two separate encryption keys - one to encrypt the file names and the other to encrypt the contents of the file.
• This makes it difficult for the victims to decrypt files and end up paying the requested ransom amount to the threat actors.
• Then the threat actor uses TOR connections to transfer the encrypted files to his remote servers.
• The threat actor provides a README.txt file that contains contact email address and instructions for the victims to recover the encrypted files.

Interestingly, the threat actor is also using a .onion URL to set up an alternative means of communication if the email address for communication does not work. However, researchers stated that this feature was added in the latest variant of the Troldesh ransomware.