Severity scale:  
  (98/100)

Troldesh virus. How to remove? (Uninstall guide)

removal by Ugnius Kiguolis - -   Also known as Troldesh ransomware, Troldesh | Type: Ransomware
12

Troldesh is considered the most “productive” ransomware

The note of Troldesh virus

Troldesh ransomware – dangerous virus that hails from Russia. Alternatively it is known as CrySis ransomwarextblShadeVirus EncoderGreen_Ray, Ecovector, and gerkaman@aol.com.xtbl. All its versions function as file-encrypting threats: they encrypt victim's files and request to pay a ransom. First signs of this virus were noticed back in 2015. Two years later, security experts find it as one of the most productive ransomware viruses.[1]

With the help of asymmetric algorithm, Troldesh is capable of encrypting a broad range of audio, video, excel, and similar files. After it finishes this procedure, it appends .xtbl, .crypted000007, .dexter, .da_vinci_code, .no_more_ransom and .magic_software_syndicate file extensions to damaged data.[2] Also, it changes the wallpaper into the ransom note filled with links to Tor addresses. The ransom note can be written either in English or in Russian.

The ransom which is required by Troldesh virus varies from 0.5 to 1.5 BTC. However, having in mind that ransomware has started using such movement tools as Mimikatz, the ransom can increase. According to hackers, making this payment is the only way to acquire two different keys, public and private, and recover lost data, so there is no surprise that users keep paying. As a result, ransomware business is now considered to generate $2 billion per year.[3]

Needless to say, you should not give in to the pressure of hackers and pay a required ransom because it does not guarantee the retrieval of encrypted information. Instead, opt for Troldesh removal to prevent the further loss of your files. For that purpose we recommend using Reimage

Troldesh uses private and public keys that are mathematically interrelated, so files that are encrypted with a public key can only be decoded with the private key. You can feel safer if you have an extra copy of each of your file. In this case, you can avoid making the required payment. However, note that you have to remove Troldesh ransomware first before proceeding to data recovery procedure. 

While the requirement to pay the ransom is given in Russian and English, it is believed that Russia and English-speaking countries are the main targets. In the beginning, the virus tended to use TOR browser to monitor the payments received from the victims.

Recently, it has been observed that it switched to another way of communication. In the README.txt file, Troldesh presents an email address. Thus, when victims contact them, the cyber criminals indicate the amount of ransom. Surprisingly, after contacting the hackers directly, some users even managed to negotiate with hackers and succeeded in receiving a discount!

If you have never been infected with ransomware, we highly recommend thinking about backups of your files right now! Keep in mind that ransomware business is booming and one of six email messages is set to infect users and block their files. To keep them protected, you can choose from several options. More information about them is given in this post: Why do I need backup and what options do I have for that?

It may seem that making the payment is the easiest way to remove Troldesh, you should never do that because it is likely that you will end up with lost money and no recovered data at all. In addition, you will support hackers and their future crimes in this way.

Troldesh versions:

Shade ransomware. It is known that these two ransomware viruses are related. To encrypt victim's files, it uses identical AES-256 encryption and generates two different keys for the user. Shade is also known to use .7h9r, .xtbl, .ytbl, .da_vinci_code, no_more_ransom, .better_call_saul, .heisenberg, and .windows10 file extensions to mark encrypted files. The ransom note is saved in README.txt file. 

Virus Encoder uses AES encryption keys to lock out the target information. Moreover, the virus has a distinctive feature – it hides a decryption key in its command and control server. The virus attaches .xtbl extension to all corrupted files and asks paying a ransom in the same “README.txt” file. The ransom note is written in Russian and English.

The distribution method of the ransomware

Troldesh ransomware or any other similar threat spreads through several means. The main of them is considered spam. Security experts have already warned users about misleading emails that claim to be important messages from governmental authorities, reputable companies, etc. It seems that one out of six emails is filled with infected email attachments.

If you have recently received an email informing of a delivered package or urging you to review invoice details, do not make any reckless actions. Before opening such emails or attachments, contact the company directly. If you believe that an email is fake and could be related to spammers or hackers, you should never click on its attachment.

Besides, cyber criminals use corrupted websites that barely differ from the original and legitimate websites. If you found yourself on a website that seems too good to be true, you need to leave it without wasting your time. Additionally, make sure you stay away from suspicious pop-up ads which might be offering free updates, unbelievable prizes, and similar things. If you click on such ads or visit the mentioned websites, you might let ransomware to your system. Cyber security specialists report that this virus infects systems in a form of trojan-Ransom.Win32.Shade. 

Update on ransomware distribution

Current samples of Troldesh are detected as fake TPVCGateway.exe files. It belongs to ThinPrint Virtual Channel Gateway command developed by a mobile software manufacturer Cortado AG. Crooks employ the same technique as other ransomware. By disguising the malware under the name of popular programs or files, they expect victims to execute them without any suspicions.

The recent analysis also reveals that the malware is detected as Gen:Variant.Razy.167623, Gen:Variant.Razy.167623, or Ransom:Win32/Troldesh.A[4]. It suggests that the malware is related to another well-known virtual threat – Razy ransomware.

The latter threat has released its updated version under the name of Salsa virus. It implies that the same gang of felons might be behind these threats. Furthermore, it has been revealed that Kelihos botnet is responsible for the cyber campaign of this threat. Therefore, you should stay vigilant and strengthen the protection of the device by keeping yuur system applications up-to-date.

Troldesh removal tips

To remove Troldesh from the system, you need to scan your computer with updated anti-spyware. Keep in mind that closing a huge black warning message, claiming that your files are blocked, is not enough to eliminate this ransomware. Otherwise, it can initiate the second encryption of your files.

For a successful Troldesh removal, we recommend using Reimage or Malwarebytes Anti Malware. The software will reveal each of malicious files, their location, and will remove all these components with only one click, so it will greatly speed up the elimination process.

After that, you should start thinking about all the possible alternatives for file recovery. If you have their extra copies saves somewhere in portable hard drives, clouds or even simple CDs, you can recover these files with their help. Otherwise, please, follow data recovery tips presented by our experts.

Speaking of ransomware prevention means, you should restrain from opening spam emails which contain suspicious attachments, avoid visiting insecure file sharing domains, and update your security programs regularly.

If you encountered problems related to Troldesh virus removal, use instructions provided below.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Troldesh virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Troldesh virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual Troldesh virus Removal Guide:

Remove Troldesh using Safe Mode with Networking

To eliminate this virus with the help of Safe Mode, use these steps before launching anti-spyware tool.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Troldesh

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Troldesh removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Troldesh using System Restore

To remove Troldesh ransomware with System Restore, you need to use the following urles.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Troldesh. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Troldesh removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Troldesh from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Troldesh, you can use several methods to restore them:

Using Data Recovery Pro to recover encrypted files

Data Recovery Pro is considered one of the options for you to recover files. Nonetheless, the program cannot assure that all of tyour files will be decrypted since it was originally designed to restore lost data after a system crash.

Make use of Shadow Expplorer

This tool works on the basis of shadow volume copies, so there are high chances that you may restore encoded documents and files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Troldesh and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions

References

Removal guides in other languages


  • Terry

    So can I get a discount for the ransom as well? 🙂

  • Jack

    I wonder if it will evolve to such state as CryptoWall.

  • Katherine

    Give me a break, not again ransomware!