There is a new version of the Troldesh ransomware also called Encoder.858 and Shade Ransomware, researchers said.

While ransomware variants constantly evolve, this version of Troldesh comes with extensive modifications.

Ransomware Masked as Rockwell Update
Ransomware Works Offline
Ransomware Deletes Files, Asks for Money
Low-Cost Ransomware as a Service

This version of Troldesh utilizes a dedicated payment portal where users can go, enter a special ID from the ransom note, and receive further instructions on how to pay the ransom, according to researchers at Microsoft Malware Protection Center (MMPC).

Previous versions of Troldesh just displayed an email address where users could send an email to receive further instructions.

Schneider Bold

Security researchers often report these email addresses to the services where they are hosted and have them taken down.

Troldesh’s authors created new email addresses and compiled new ransomware versions that included these (different) email addresses in the ransom note, and decided to use a Tor website instead.

In its current ransom notes, Troldesh uses Tor network proxy servers to list the Tor URLs, via the and the websites. The URL is currently down, according to Microsoft, and users that want to pay can access that site using the Tor Browser and typing the URL, except the .cab at the end.

Other changes included with Troldesh is the usage of two creative extensions added to the end of encrypted files: .da_vinci_code and .magic_software_syndicate.

There are also some errors in the ransom note, but not that significant. Troldesh now encrypts even more file type categories and also infects users with additional malware called Mexar. This malware is new, and Microsoft saw it for the first time July 7. As such, there are very few details about what this threat does.

In statistics released a few days ago, Microsoft ranked Troldesh as the tenth most active ransomware family in the past 30 days.

Pin It on Pinterest

Share This