- The threat actors use TOR for data transmission and communication with victims, and two malicious URLs for ransomware file delivery.
A new variant of the Troldesh ransomware is observing a rise in the past couple of weeks and spreading via compromised websites. The threat actors involved in spreading the malware trick victims into visiting malicious URLs by sending emails and messages on social media platforms.
How is the malware delivered?
Researchers also added that threat actors used at least two malicious URLs from compromised websites considering the case if one of them stops working, then the other should continue to perform the intended actions.
How do the threat actors trick victims?
Which OS does the malware target?
Antivirus detection rate
Encryption and Ransom Note
If the antivirus program installed on the victims’ computer does not detect the malicious host file or the ransomware executable file, then the ransomware starts encrypting files from the victims’ computer using a notable method.
- The ransomware uses two separate encryption keys - one to encrypt the file names and the other to encrypt the contents of the file.
- This makes it difficult for the victims to decrypt files and end up paying the requested ransom amount to the threat actors.
- Then the threat actor uses TOR connections to transfer the encrypted files to his remote servers.
- The threat actor provides a README.txt file that contains contact email address and instructions for the victims to recover the encrypted files.
Interestingly, the threat actor is also using a .onion URL to set up an alternative means of communication if the email address for communication does not work. However, researchers stated that this feature was added in the latest variant of the Troldesh ransomware.