Troldesh Ransomware

Spotlight on Troldesh ransomware (aka ‘Shade)

Posted:ByPieter ArntzLast update:

Despite the decrease in ransomware infections, there are still ransomware families. Ransom. Troldesh, aka Shade, is one of them. Our product telemetry shows that Shade saw a sharp rise in detections between Q4 2018 and Q1 2019.

If we notice a rapid spike in malware families being detected, it means that we are in the middle of active and successful campaigns. So let’s take a look at this “shady” ransomware to learn how it spreads, what are its symptoms, why it’s dangerous to your business, and how you can protect against it.

Troldesh spiked February 2019

Infection vector

A part of the obscure Troldesh Javascript

Troldesh email senders are often spoofed so we can conclude that threat actors behind this campaign use phishing to try to trick users into opening attachments.

Troldesh’s origin is Russian, as its ransom notes were written in Russian and English.

Windows OS is the target OS. To get the infection started, victims will need to extract the attachment and double-click on the Javascript file.

Ransomware behavior

After the encryption process is completed, ransomware leaves some readme#.txt files behind on infected computers. It’s most likely that at least one of these files will be read by the victim. These text files contain the same message as the ransom notice.

Extensions of targeted files

Troldesh searches for files that have these extensions on remote, fixed, and removable drives.


Files are encrypted using AES 256 in CBC mode. Two random 256-bit AES keys (one for each encrypted file) are generated. One is used by the file’s contents and the other to encrypt its name. After the filename is encrypted, the extensions are added.

Protect against Troldesh

Malwarebytes users have the ability to block Ransom. Troldesh by using several protection modules that can stop ransomware from decrypting files in real-time.

The ransomware is stopped by real-time protection from the files defined in our definitions

Our anti-exploit, anti-ransomware modules prevent suspicious behavior

Malwarebytes’ malicious site protection prevents compromised websites:

There are other methods of protecting yourself

You can take security precautions to prevent you from reaching the point where protection is required or files must be restored.

  • Send emails with attachments. These emails are not safe to send.
  • User education. They should inform the end-user not to open attachments or run executable files within attachments if they reach them. If your company has an anti-phishing plan they should also know to whom to forward the email to assist with investigations.
  • BlacklistingMany end users don’t need to be able to run scripts. You can blacklist those users in this cases.wscript.exe
  • Software and systems should be updated. Software updates can fix vulnerabilities and prevent exploits from being discovered.
  • Backup files. Backups that are reliable and easy to deploy can reduce recovery times.


These are the steps you need to take if you reach the point where remediation becomes necessary.

  • Do a complete system scan. Malwarebytes can detect and remove Ransom. Troldesh with minimal user interaction.
  • Files can be recovered. Troldesh is not able to decrypt files. Only backups made before the infection occurred or a rollback operation can be used to retrieve your files.
  • Eliminate the problem. You can delete the email that caused the problem.


AES 256 is a strong encryption method, but there are decryption tools that can be used to decrypt some Troldesh variants. You can find out more about these decryption tools at (look under “Shade” in the alphabetical list).

Troldesh victims are given a unique code and an email address. They also receive a URL to an onions address. For further instructions, victims of Troldesh are asked to contact the email address and mention their code. You should not pay ransom authors as they will finance their next wave.

Troldesh is different from other ransomware types due to a large number of readme#.txt files with ransom notes dropped on affected systems and contact via email with threat actors. It employs a classic attack vector, which relies heavily upon tricking unaware victims. It has proven to be quite effective in the past and its current wave. Unfortunately, the free decryptors only work with a small number of older versions. Therefore, victims will need to use backups and roll-back options.