A New Variant of Troldesh Ransomware Is Spreading via compromised Website URLs

In recent weeks, a new variant of Troldesh Ransomware is seen to be spreading using compromised URLs within websites. The threat actors controlling the ransomware threat is embedding infectious code within PHP pages that is being within phishing emails, social media platforms and many other third-party websites. It is known as intermediary malware distributors that drops the payloads of the Troldesh Ransomware on the target computer.

Distribution Propaganda

The security experts at Sucuri, observed that the malware is being spread on malicious websites.The malicious URLs are usually being spread via spam email campaigns or on social media platforms. When user knowingly or unknowingly visits the compromised websites and click on the infected link, it starts loading a PHP file. The PHP file acts as an intermediary delivery tool that is used to download the actual malware dropper on the target system.

The infected PHP file further downloads a Javascript file to the target computer. Once the JavaScript file is successfully downloaded on the host machine, then it acts as a malware dropper for the actual malware threat. In this case, the Troldesh Ransomware is installed on the host computer.

In recent times, RIG Exploit Kit were used to distribute the ERIS Ransomware.

Malicious jscript file Tricks users as “JSC Airline”

The malware is mainly targeting Windows OS users. The original JScript file is written in Russian language : ./Подробности заказа ОАО Авиакомпания Уральские авиалинии.js.

According to the research, the file translates into English: “Details of the order of JSC Airline Ural Airlines”. This means that the malware distributors attempts to trick users into believing that the file is from the airline company.

Additionally, it is important to note that the threat actors uses two different compromised URLs. As if in case, one fails to load properly or somehow the website gets suspended or becomes inaccessible, then the other URL can be still come into play as a malware dropper.

Ransomware Threat Uses Random Directories To Store Data

The malicious jscript file firstly scans the system directories to acquire the information about the Windows OS directories. Further, it creates random directories to store its executable files on the host machine.

AV Detection Rate and Encryption Process

As per the reports, the Troldesh ransomware has a high AV detection rate.

  • The AV detection rate for the malicious JavaScript file acting as a host is 57%.
  • While, the detection rate of the actual ransomware file on the host machine is 82%.

Thus, it can be concluded that an active anti-malware program has the possibility to detect the malware on the computer. If the antivirus program on the victim’s computer fails to detect the malicious executable jscript file or the actual ransomware threat, then it starts its encryption process.

Unlike other ransomware threats, the new variant of Troldesh Ransomware uses two separate encryption keys:

  • One encryption is used for the file names;
  • And the other one is used to encrypt the contents within the file.

Thus the victims of the ransomware may find it impossible to decrypt their files and hence are forced to pay the ransom fee to authors of the victim. The encrypted files are all transferred to remote servers using TOR connections. After the encryption process is completed, it leaves a ransom note named as README.txt. The text file contains the information about the encryption occurred and instructions to contact the authors via provided email address.

Additionally, the malware authors also establishes a TOR .onion URL as an alternate medium of communication, if in case the email address provided does not work.

The .onion URL is provided within the ransom note that should be used as a means to contact the threat actors if the email address does not work. The TOR .onion URL when clicked loads a “feedback” form and has text written in both English and Russian languages.

However, the TOR URL is the recent addition to the latest version of the Troldesh Ransomware.


As the threat actors are leveraging compromised website to spread malware droppers for the deadly ransomware threats. Thus, users need to be very careful while visiting any random website or click any suspicious links within.

Also, never beware of spam email and its attachments, better not to open any link or download the attachment if it does not concern you or you don’t recognize the sender.

Ransomware can put users in huge loss not only in terms of money, but also the important and sensitive data that are stored on the target system. To stay protected from ransomware, here is the guide to follow.

If you are infected with Troldesh Ransomware, you should quickly seek for removal.

Helpful Guides:

More From Unboxhow