Spotlight on Troldesh Ransomware, aka ‘Shade'


Spotlight on Troldesh Ransomware, aka ‘Shade' (Mar 6, 2019)

According to researchers from Malwarebytes, the ransomware "Troldesh," (also known as Shade) has had an uptick of infections in the past few months. The malware is typically distributed through phishing emails containing malicious .zip file attachments and targets Windows OS machines. The email frequently states that the attachment should be opened quickly and unzipped. If the target follows those directions, the malicious payload is then downloaded onto the machine from compromised Content Management System (CMS) websites. Troldesh is believed to be of Russian origin because the ransom note is in both Russian and English, and requires the victim to email a given address for further information to retrieve their files back.

Recommendation: Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key, and implement a business continuity plan in the unfortunate case of ransomware infection. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.