Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Jun 2019

How to remove Troldesh virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Ugnius Kiguolis · The mastermind

Troldesh is the cryptovirus that keeps on encrypting users' files since 2014 and remains active in 2019

The note of Troldesh virus

Troldesh ransomware – a dangerous virus that hails from Russia. The virus was recently spotted spreading new campaigns all over Russia, Mexico, and the U.S. The security software developers and malware researchers Avast discovered more than 100 000 attacks in 2019 by this particular strain of the cryptovirus.[1] Various phishing email campaigns and social media messaging platforms knowingly help to deliver the ransomware with malicious links and infected files.

With the help of the asymmetric algorithm, Troldesh virus is capable of encrypting a broad range of audio, video, excel, and similar files. After it finishes this procedure, it appends .xtbl, .crypted000007, .dexter, .da_vinci_code, .no_more_ransom and .magic_software_syndicate file extensions to damaged data.[2] Also, it changes the wallpaper into the ransom note filled with links to Tor addresses. The ransom note can be written either in English or in Russian.

Name Troldesh
Type Ransomware
File marker .xbtl or .cbtl
Versions Shade ransomware and No_more_ransom virus
Malicious files added on the system csrss.exe, state.tmp
Ransom note README.txt
Known since 2014
Known to install Pony, teamspy RAT, banking trojans and other malware
Distribution Phishing emails, spam campaigns, other malware
Elimination Use anti-malware tool to remove Troldesh ransomware and clean the machine with FortectIntego to eliminate virus damage

Alternatively, Troldesh ransomware is known as CrySis ransomwarextblShadeVirus EncoderGreen_Ray, Ecovector, and gerkaman@aol.com.xtbl. All its versions function as file-encrypting threats: they encrypt victim's files and request to pay a ransom. First signs of this virus were noticed back in 2015. Two years later, security experts find it as one of the most productive ransomware viruses.[3]

The ransom which is required by Troldesh virus varies from 0.5 to 1.5 BTC. However, having in mind that ransomware has started using such movement tools as Mimikatz, the ransom can increase and, in most cases, is based on the value of the victims' data.

According to Troldesh ransomware developers, Russian hackers, making this ransom payment is the only way to acquire two different keys, public and private, and recover lost data, so there is no surprise that users keep paying. As a result, the ransomware business is now considered to generate $2 billion per year.[4]

Needless to say, you should not give in to the pressure of hackers and pay a required ransom because it does not guarantee the retrieval of encrypted information. Instead, opt for Troldesh ransomware removal to prevent the further loss of your files. For that purpose, we recommend using FortectIntego

The sample of Troldesh ransomware

Troldesh uses private and public keys that are mathematically interrelated, so files that are encrypted with a public key can only be decoded with the private key. You can feel safer if you have an extra copy of each of your file. In this case, you can avoid making the required payment. However, note that you have to remove Troldesh ransomware first before proceeding to the data recovery procedure. 

While the requirement to pay the ransom is given in Russian and English, it is believed that Russia and English-speaking countries are the main targets. In the beginning, the virus tended to use the TOR browser to monitor the payments received from the victims.

Recently, it has been observed that it switched to another way of communication. In the README.txt file, Troldesh presents an email address. Thus, when victims contact them, cybercriminals indicate the amount of ransom. Surprisingly, after contacting the hackers directly, some users even managed to negotiate with hackers and succeeded in receiving a discount!

Troldesh ransomware virus

If you have never been infected with ransomware, we highly recommend thinking about backups of your files right now! Keep in mind that ransomware business is booming and one of six email messages is set to infect users and block their files. To keep them protected, you can choose from several options. More information about them is given in this post: Why do I need backup and what options do I have for that?

It may seem that making the payment is the easiest way to remove Troldesh, you should never do that because it is likely that you will end up with lost money and no recovered data at all. In addition, you will support hackers and their future crimes in this way.

Troldesh ransomware 2019 attacks 

June 2019 came with new reports about Troldesh files virus and the recent attacks that show the spikes on cryptovirus attacks in Russia, Mexico, and the United States. Researchers blocked hundreds of thousands of virus attacks that started the most active in January and lasted up until June 24th.

These campaigns also show the new distribution technique – social network campaigns, during which the malicious links get delivered via messaging applications and phishing emails. In the report researchers state that the malware seems to be dangerous and possibly will stay prevalent in the future:

We see a spike in the number of its attacks that is probably more to do with Troldesh operators trying to push this strain harder and more effectively than any kind of significant code update.

Troldesh versions:

Shade ransomware. It is known that these two ransomware viruses are related. To encrypt victim's files, it uses identical AES-256 encryption and generates two different keys for the user. Shade is also known to use .7h9r, .xtbl, .ytbl, .da_vinci_code, no_more_ransom, .better_call_saul, .heisenberg, .breaking_bad, and .windows10 file extensions to mark encrypted files. The ransom note is saved in README.txt file. 

Virus Encoder uses AES encryption keys to lock out the target information. Moreover, the virus has a distinctive feature – it hides a decryption key in its command and control server. The virus attaches .xtbl extension to all corrupted files and asks paying a ransom in the same “README.txt” file. The ransom note is written in Russian and English.

Troldesh cryptovirus

The distribution method of the ransomware

Troldesh ransomware or any other similar threat spreads through several means. The main of them is considered spam. Security experts have already warned users about misleading emails that claim to be important messages from governmental authorities, reputable companies, etc. It seems that one out of six emails is filled with infected email attachments.

If you have recently received an email informing of a delivered package or urging you to review invoice details, do not make any reckless actions. Before opening such emails or attachments, contact the company directly. If you believe that an email is fake and could be related to spammers or hackers, you should never click on its attachment.

Besides, cybercriminals use corrupted websites that barely differ from the original and legitimate websites. If you found yourself on a website that seems too good to be true, you need to leave it without wasting your time. Additionally, make sure you stay away from suspicious pop-up ads which might be offering free updates, unbelievable prizes, and similar things. If you click on such ads or visit the mentioned websites, you might let ransomware to your system. Cybersecurity specialists report that this virus infects systems in a form of trojan-Ransom.Win32.Shade. 

Update on ransomware distribution

Current samples of Troldesh are detected as fake TPVCGateway.exe files. It belongs to ThinPrint Virtual Channel Gateway command developed by a mobile software manufacturer Cortado AG. Crooks employ the same technique as other ransomware. By disguising the malware under the name of popular programs or files, they expect victims to execute them without any suspicions.

The recent analysis also reveals that the malware is detected as Gen:Variant.Razy.167623, Gen:Variant.Razy.167623, or Ransom:Win32/Troldesh.A[5]. It suggests that the malware is related to another well-known virtual threat – Razy ransomware.

The latter threat has released its updated version under the name of Salsa virus. It implies that the same gang of felons might be behind these threats. Furthermore, it has been revealed that Kelihos botnet is responsible for the cyber campaign of this threat. Therefore, you should stay vigilant and strengthen the protection of the device by keeping your system applications up-to-date.

Troldesh ransomware removal tips

To remove Troldesh from the system, you need to scan your computer with updated anti-spyware. Keep in mind that closing a huge black warning message, claiming that your files are blocked, is not enough to eliminate this ransomware. Otherwise, it can initiate the second encryption of your files.

For a successful Troldesh removal, we recommend using FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes. The software will reveal each of malicious files, their location, and will remove all these components with only one click, so it will greatly speed up the elimination process.

After that, you should start thinking about all the possible alternatives for file recovery. If you have their extra copies saves somewhere in portable hard drives, clouds or even simple CDs, you can recover these files with their help. Otherwise, please, follow the data recovery tips presented by our experts.

Speaking of ransomware prevention means, you should restrain from opening spam emails which contain suspicious attachments, avoid visiting insecure file sharing domains, and update your security programs regularly.

If you encountered problems related to Troldesh virus removal, use instructions provided below.

3 comments

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.