skip to Main Content

Russia hit by new wave of Troldesh (aka Shade) ransomware campaign

ESET: Russia has been hit again by the Troldesh (aka Shade) ransomware, with a malicious spam campaign, following the one of the last October. Also  Also Ukraine, France, Germany, and Japan affected

Russia has been hit by a ransomware campaign with the malware Troldesh (aka Shade). It has been discovered by ESET cyber security experts. Moreover, it appears to be the follow-up of the last October cyber attacks with the same code. The cybercrime vector as usual are emails with malicious JavaScript attachments. According to the company’s blog, the “telemetry shows the October 2018 campaign running at a consistent pace until the second half of December 2018, taking a break around Christmas, and then resuming in mid-January 2019 doubled in size. This campaign is a part of a larger trend we have observed from the beginning of 2019 – the comeback of malicious JavaScript attachments as a widely used attack vector.” The last cyber attacks have hit especially Russia (52% of the total detections), but not only. Among other affected countries are Ukraine, France, Germany, and Japan.

The cyber security experts: How the malware campaign works

The ransomware spreads through emails, that pose as order updates, seemingly coming from legitimate Russian organizations. The one seen by ESET cyber security expert “impersonate the Russian bank B&N Bank (note: recently merged with Otkritie Bank), and the retail chain Magnit. The ZIP archive contains a JavaScript file named “Информация.js” (“Information” in English). Once extracted and launched, it downloads a malicious loader, detected as Win32/Injector, that decrypts and launches the final payload: the Shade malware. It encrypts a wide range of file types on local drives. In this campaign, it appends the extension .crypted000007 to the encrypted files. The payment instructions are presented to victims in a TXT file, in Russian and English, which is dropped to all drives on the affected computer. The wording of the ransom note is identical to that from the previously-reported October 2018 campaign.

Back To Top