Recently, there has been a sharp increase in Troldesh encoder virus cyberattacks in Russia again. Also known as Shade, XTBL, Trojan.Encoder.858, Da Vinci and No_more_ransome, the malware is being spread in phishing emails sent ‘on behalf of’ major brands, including airlines, car dealerships and even media outlets. More than 1,100 Troldesh-infected emails were detected in June alone (6,000 over the second quarter).
In a typical malspam email, an ‘employee’ of a major company asks the recipient to open an enclosed zip file. Once the user unzips the attachment, Troldesh encrypts the user’s files and demands a ransom for restoring his data.
Information security experts note that it is quite difficult to stop the epidemic because the control center is based in the Tor network and is constantly changing location. Moreover, Troldesh is a popular product in DarkNet black markets and is used to create a growing number of modifications, which makes detection and removal troublesome.
Some Troldesh versions not only encrypt files but also mine cryptocurrency and generate fake web traffic thus providing several sources of income to hackers.
Troldesh was first detected four years ago and by the end of 2018 it became one of the most popular encoders. The worm is not only targeting Russia. Users in the United States, Canada, Japan, India and Thailand have also reported attacks.
File-encrypting ransomware is a common hacking tool all over the world as it forces users to pay money for recovering their files. This being said, there is no guarantee that the files will be restored while ransom will be used to fund cybercrime.