Troldesh’s” One More Variant in the Encryption Offender
Over the past few days, Quick Heal have been observing criminals/hackers using a new carrier to deliver the ransomware malware. Recently, Quick Heal Security Labs observed a new variant of Troldesh ransomware which encrypts the data and adds the extension as “.no_more_ransom”. This ransomware comes under Crypto-Ransomware variant, the origin of this is said to be from Russia and from there it is spread all over the world. There are various names for this ransomware they are Troldesh, aka Encoder.858 or Shade.
It has been observed that this ransomware is spread basically through
RDP Brute-force Attack
Spam and phishing emails
In RDP Brute-force Attack, the Remote Desktop Protocol (RDP) running on port 3389 is targeted with a typical brute force attack. As a result the attacker gets hold of victim’s administrative user credentials and then it executes the ransomware payload on the victim’s system to infect the data.
When the malicious file gets executed it drops the copy of itself at the below location “ AppData\Roaming\ “. Once it drops its copy it deletes the actual payload from where it has been executed and then executes the payload from Appdata location.
The actual payload contains the below command which is used to create the self copy at Appdata location,when malicious payload is executed it launches the schtasks.exe(Schedule Tasks) with the below command which creates a task named as Encrypter :
C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /TN Encrypter /TR C:\Users\user_name\AppData\Roaming\info.exe
/SC MINUTE : Specifies the schedule type.
/TN ENCRYPTER : Specifies a name for the task.
/tr C:\Users\XXXX\AppData\Roaming\info.exe : Specifies the program or command that the task runs.
The payload has been scheduled to run after every 1 min, it has a wait time of 1 hour and execution time limit of 72 hours. Once the ransomware payload gets executed it then encrypts the file and adds the extension as “ .no_more_ransom”.
During the analysis we have also found that the malicious payload also contains the Anti-debugging identifier which detects whether the calling process is being debugged by a user-mode debugger or not. Below image represents the example of the same, when the payload is executed and if any debugger is in running state then it gives the below prompt/error message.
Best practices to stay safe from such malware attacks
Do not download attachments or click on links received from unwanted or untrusted email sources.
Always turn on email protection of your antivirus software.
Don’t enable ‘macros’ or ‘editing mode’ upon execution of the document.
Keep your antivirus updated and ensure you are using the latest version.
Always keep a secure backup of your important data.
Apply all recommended updates on your Operating System and programs like Adobe, Java, Internet browsers, etc.
Ensure that your computer’s Automatic Updates are enabled.
We strongly advise our users to protect themselves by applying the below-mentioned firewall policies in Quick Heal firewall feature.
Deny access to Public IPs to important ports (in this case RDP port 3389)
Allow access to only IPs which are under your control.
Along with blocking RDP port, we also suggest blocking SMB port 445. In general, it’s advised to block unused ports.