{
	"id": "0feda0a4-d558-4e94-98a7-4d78f6583811",
	"created_at": "2026-05-07T02:43:02.462025Z",
	"updated_at": "2026-05-07T02:44:10.974488Z",
	"deleted_at": null,
	"sha1_hash": "9605dc023af77ad3587d6e9e4da328a4d337ab32",
	"title": "“Troldesh” – New Ransomware from Russia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60265,
	"plain_text": "“Troldesh” – New Ransomware from Russia\r\nBy bferrite\r\nPublished: 2015-06-01 · Archived: 2026-05-07 02:25:04 UTC\r\nOverview\r\n“Troldesh”, aka Encoder.858 or Shade, is a Trojan and a crypto-ransomware variant created in Russia and spread\r\nall over the world.\r\nTroldesh is based on so-called encryptors that encrypt all of the user’s personal data and extort money to decrypt\r\nthe files. Troldesh encrypts a user’s files with an “.xtbl” extension. Troldesh is spread initially via e-mail spam.\r\nA distinctive feature of the Troldesh attack is direct communication with the victim. While the most Ransom-Trojan attackers try to hide themselves and avoid any direct contact, Troldesh’s creators provide their victims with\r\nan e-mail address. The attackers use this email correspondence to demand a ransom and dictate a payment\r\nmethod.\r\nIn this report you’ll learn about the infection procedure, the primary symptoms, and you will find out how I ended\r\nup getting a discount from the hackers.\r\nThe Infection Process\r\nAs mentioned previously, Troldesh is a Trojan which encrypts all the user’s data and demands a ransom in\r\nexchange for decryption.\r\nIn my research, I used a malicious sample with this hash downloaded from VirusTotal:\r\na8b27aa4fe7df15a677f9ab9b62764d557525059a9da5f4196f1f15049e2b433\r\nAfter execution, Troldesh encrypts all of the user’s data and displays this message:\r\nAdditionally, it renames the encrypted files using this format: [random characters]=.xbtl For example, this is a\r\nscreenshot of my machine’s “Pictures” folder with the encrypted files:\r\nApproximately 20 txt files were placed on my desktop. In other cases, a txt file was placed in each folder that had\r\nan encrypted file.\r\nEach txt file has the filename in the format README[number].txt and looks like this:\r\nThe user is instructed to send a specified code to the e-mail address provided.\r\nTo summarize, a Troldesh infection displays these characteristics:\r\nA warning message on the user’s screen\r\nRegular files replaced by the encrypted files with the .xbtl extension\r\nhttps://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/\r\nPage 1 of 3\n\nREADME[number].txt files for information and contact data\r\nHow I Got a Discount From the Hackers\r\nI was very interested to learn more about the ransom and tried to start a correspondence with the attackers. As\r\nrequired, I sent the specified code to the e-mail address provided, one that is registered on the most  famous\r\nRussian domain.\r\nAfter several minutes I received an answer with my next instructions.\r\nThe extortionists said to send them one encrypted file to prove they could decrypt it. They demanded 250 euros to\r\ndecrypt all of the files.\r\nSomething about this transaction bothered me. Was their answer generated automatically or was there a real\r\nperson on the other end? To find out, I decided to accept the hackers’ “generous” offer and send them an encrypted\r\nfile for decryption.  At the same time, I tried to start a conversation with them to see whether I could persuade\r\nthem to give me the key for free, or at least get a decent discount.\r\nTo my great surprise, after a minute I got an answer from a real person who was open to discussion! Since the\r\nanswer and all of the following conversation were in Russian, a translation is provided under each screenshot.\r\n“The guarantee is our word of honor. You can pay in rubles, 12000 RUB.”\r\nI checked the currency exchange rate and saw that I received a discount of approximately 15% (~35 euro). A\r\ndecrypted version of the encrypted file I sent earlier was attached to the same e-mail.\r\nI continued asking about payment methods and if there was a specific time frame.\r\n“How can I pay? I don’t see any requisites. Are there any time frames?”\r\n“The payment should be done to the QIWI purse, requisites are changing frequently. As soon as you will be ready\r\nto pay, write me, and I’ll send an actual requisites.\r\n12000 RUB is a sum with discount!\r\nYou have only 2 days to pay.”\r\nI took a break at this point and after almost a week wrote them again. I still had hopes of getting the key for free.\r\n“I ask you: please, return my data – this is almost all of my life for the last several years!\r\nI really don’t have much money to pay you!\r\nBe humane!!!”\r\n“The best I can do is to bargain”\r\n“Please send me the key.\r\nhttps://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/\r\nPage 2 of 3\n\nAnyway, I can’t pay, neither with bargain, nor without it. Even one thousand rubles is a big sum for me.\r\nThe case in which I’ll lose all of my personal and work(!) files will not make your life easier…”\r\n“7000 is a minimal cost for you\r\nDecide for yourself\r\nThere is no way to get the key for free”\r\nBy the end of our correspondence, I managed to get a discount of 50%. Perhaps if I had continued bargaining, I\r\ncould have gotten an even bigger discount.\r\nSource: https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/\r\nhttps://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/"
	],
	"report_names": [
		"troldesh-new-ransomware-from-russia"
	],
	"threat_actors": [],
	"ts_created_at": 1778121782,
	"ts_updated_at": 1778121850,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9605dc023af77ad3587d6e9e4da328a4d337ab32.pdf",
		"text": "https://archive.orkl.eu/9605dc023af77ad3587d6e9e4da328a4d337ab32.txt",
		"img": "https://archive.orkl.eu/9605dc023af77ad3587d6e9e4da328a4d337ab32.jpg"
	}
}