According to researchers at Sucuri, a new variant of the Troldesh ransomware has been seen on the rise over the past several weeks and is spreading through the use of malicious URLs. Attackers are using a variety of methods such as adware and spam emails to trick visitors’ into false sites. Once a victim visits the malicious site, the site downloads a JavaScript file that acts as a host-based dropper which prepares to download the actual ransomware to infect the victim’s system. The malware currently only infects computers running Windows, it then generates a random directory to store malicious executable files on the victims’ computer. The attackers are using a filename in the Russian language that is trying to spoof Ural Airlines. Currently, it is reported that standard antivirus software has a detection rate of 57% for the base file and an 82% detection rate for the actual ransomware. If the antivirus program does not detect and stop the attack, the malware will begin encrypting the victim’s files with two separate encryption keys which makes it increasingly difficult to decrypt the affected files. Then the attacker uses TOR connections to transfer the encrypted files to their servers. Lastly, the threat actor delivers a README.txt file to the user explaining how to deliver money to decrypt the files.
Analyst Notes
Firstly, users should verify that their antivirus/malware software is updated regularly and is always running in the background. Secondly, the primary method to defeat ransomware is to have secure backups of the individual’s system. If a user’s files are attacked with ransomware they will be able to simply delete the affected files and replace them with the secure backups.
