New Troldesh ransomware targets victims via compromised website URLs

Cybersecurity researchers from Sucuri have discovered that a new variant of the Troldesh ransomware has become more rampant in the past couple of weeks and is spreading via compromised websites. The threat actors involved in spreading the malware trick victims into visiting malicious URLs by sending emails and messages on social media platforms.

According to researchers, when someone clicks on the malicious URL, it completes loading the PHP file which in turn downloads a JavaScript file to the victims’ computer. This JavaScript file then acts as a host-based malware dropper and downloads the actual ransomware file by infecting the victim’s computer.

Researchers also added that attackers used at least two malicious URLs from compromised websites considering the case if one of them stops working, then the other should continue to perform the intended actions.

The malware is found to target Windows OS, as it uses the JavaScript format files. The Troldesh malware executable files get stored carefully in the victims’ computer. Firstly, the malware executable script scans and acquires the important Windows OS system directories. Then the malware script generates a random directory to store the malicious executable files on the victims’ computer.

The report from the researchers pointed out that the Troldesh ransomware has a limited possibility of staying hidden inside the Windows file system. According to the report, the malicious JavaScript file that acts as the host has a 57% detection rate with antivirus software. Additionally, the actual ransomware file downloaded to the victims’ computer has a detection rate of 82%.

If the antivirus program installed on the victims’ computer does not detect the malicious host file or the ransomware executable file, then the ransomware starts encrypting files from the victims’ computer using a notable method.

Interestingly, the threat actor is also using a .onion URL to set up an alternative means of communication if the email address for communication does not work. However, researchers stated that this feature was added in the latest variant of the Troldesh ransomware.