Blog

Ranstop blocks Troldesh-Shade ransomware

Test subject – Troldesh/Shade ransomware

This is a 0-day variant of Troldesh/Shade ransomware. The ransomware family has a five-year history and has seen many improvements since the first version. It’s typically distributed via email campaigns, weaponizing office documents, using social engineering to manipulate users.

The cybercriminals use WordPress/Drupal/Joomla based websites to host their payload, hacking them using brute-force techniques. These will serve as download servers, used by the malicious javascript they distribute to users. The payloads are usually hosted as jpg files on the infected servers, but in fact, they are intelligently packed executables (2 layers), with obfuscated data and dynamic resolving of APIs.

Troldesh/Shade ransomware test facts

The new variant is also very clever. It uses a TOR client to communicate with the command and control servers, encrypting all transmissions. It’s also a combo, as it is not just ransomware, but also a crypto-mining malware and servers/websites hacking tool.

The attack begins as soon as the js is executed by downloading all the necessary payloads from the infected servers. The payloads are packed in such ways, that they clearly attempt to avoid detection by antimalware solutions as much as possible. Once downloaded, they are executed in a specific order, using command line interpreters, in another attempt to avoid detection. They are also digitally signed, although the signature is invalid. The payloads collect many sensitive data, such as user name, public IP, hardware related specifics etc.

Once everything is in place, encryption starts, which is the first phase of the attack. The files are renamed, their original names are base64 encoded, and they also receive a new extension “.crypted000007”. The desktop background is changed and ransom notes are dropped in many places. Volume shadow copies are also deleted.

The second phase consists of executing the secondary downloads. These are CMS brute-forcers, SQL injectors, and crypto-mining software which will run every time the OS starts, also packed in a similar way as the ransomware component, to avoid detection. These will basically attempt to hack other websites, host malicious payloads, and also to perform mining activities to obtain different cryptocurrencies using the victim’s hardware resources.

This is not an ordinary malware. It’s part of a coordinated malware operation, which is, at some level, self-sustainable and also anonymized. This variant of Troldesh/Shade is one of the most sophisticated ransomware we’ve seen lately. The group’s different crypto-currency wallets, at the time of writing this article, exceeded $200.000 in total.

Troldesh/Shade ransomware test results

TEMASOFT Ranstop detects this version of Troldesh/Shade ransomware soon after it starts encrypting files. Upon detection, alerts are fired off, and the malware process is stopped and quarantined. The affected files are automatically restored so that the user doesn’t lose any important information.


Click here to watch TEMASOFT Ranstop blocking Troldesh-Shade ransomware (video)!

Learn how to protect against ransomware!

About TEMASOFT Ranstop

TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.

For more information, follow us on social media and subscribe to our newsletter.


 
 

This post was last modified on August 21, 2023 7:26 am

FM Team

Share
Published by
FM Team

Recent Posts

The Role of File Monitoring Solutions in Maintaining File Integrity

In the digital world, information is often stored and transferred through files. From the most…

May 12, 2023

Guide to Conducting an Efficient File Access Permissions Audit for Admins and Technology Managers

Introduction Data security is more important than ever in today's fast-paced digital world. One critical…

April 9, 2023

File Integrity Monitoring: What It Is and Why It Matters

Introduction: Cyber threats are a growing concern for businesses and individuals alike. With the increasing…

March 5, 2023

Monitoring Essential Microsoft IIS Server Configuration Files for Enhanced Security

Microsoft Internet Information Services (IIS) is a popular web server that is widely used to…

February 25, 2023

Tracking file changes helps admins solve server configuration problems

File tracking is an important aspect of server administration, and it can help administrators detect…

February 1, 2023

Three reasons why admins should use file monitoring solutions

File monitoring solutions are essential tools for administrators to manage and protect their organizations' data…

January 6, 2023