Bitcoin Ransomware Education – Troldesh

One of the more worrying forms of Bitcoin ransomware to appear is known as Troldesh, or Crypshed. Even though this malware appeared first in Russia – and seemed to stay there – the developers added an English translation to the software in an attempt to spread it in other countries as well. The number of infections has always been relatively low, thankfully, but the ransomware is still in circulation to this very day.

Also read: Bitcoin Ransomware Education – Crypvault

Troldesh Is An Odd Breed of Bitcoin Ransomware

TheMerkle_Bitcoin Ransomware Troldesh btc

What makes Troldesh a major concern is how security researchers are unsure why ransomware infections spike at certain intervals, whereas the number of infections remain relatively flat for most of the time. One thing’s for sure though: Troldesh became a favorable Bitcoin ransomware for hackers who like to bundle this malware with other exploit kits.

There are two main distributors for the Troldesh Bitcoin ransomware, namely Neclu and Axpergle. Don’t be mistaken in thinking these are two hacker aliases, as they are both exploit kits frequently used among internet criminals in Russia. By infecting websites and compromising the information found on these pages, either exploit kit will be installed and then start downloading Troldesh in the background.

What these two exploit kits really do is check a computer for any vulnerability they can find, and try to expose that weakness. Most antivirus solutions will pick up both Axpergle and Neclu, though, and the risk of infection is mitigated for the average Windows user. However, people who hardly update their antivirus definitions might still be vulnerable to attack.

Similar to nearly every other type of Bitcoin ransomware, Troldesh will replace the computer wallpaper and encrypted files on the hard disk. A text file is generated for the encrypted files, which contains instructions on how to proceed with the Bitcoin payment, No official details regarding the ransom amount have been published, so it could be completely random.

Most of the Troldesh infections occured in the Russian Federation – over 80% – followed by Ukraine, Brazil, and Turkey. Other countries were targeted as well, although their infection rates are far too low to be accurately represented in the charts presentd by Technet. Keeping in mind how the ransomware message is displayed in both Russian and English, there was quite a market for this malware.

Luckily for infected users, it does not seem all that hard to get rid of Troldesh. Microsoft Defender, which is installed on every Windows machine these days, can remove the Bitcoin ransomware from the system. Moreover, there is no mention users being unable to restore files from a backup, which seems to be a far preferable alternative to paying the ransom.

Source: Technet

Images credit 1,2

If you liked this article follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin and altcoin price analysis and the latest cryptocurrency news.