Cases of malicious e-mails to Russian companies have become more frequent. Attackers write on behalf of Banks, large air operators, car dealers and mass media. They offer cooperation to companies and advise to open the file in the attachment, where there are details about a good deal. If the user does this, the computer is infected with the so-called Troldesh virus. This malware encrypts files on the infected device and demands a ransom.
Fraudsters claim that they are employees of companies and attach a password-protected archive to the letter, in which, according to them, the details of the order are indicated. But in fact, a malicious virus is attached to this email. When a victim gains access to the archive, important files are blocked in his operating system that can be opened only by paying a ransom to the fraudsters. Of course, the addresses from which the letters were sent are fake.
Group-IB found out that in June more than a thousand such messages were sent to different Russian companies. The number of attacks using Troldesh only in this quarter increased 2.5 times compared to 2018. Yaroslav Kargalev, the Deputy Head of Information Security Incident Monitoring and Response Division of Group-IB, said that it is almost impossible to destroy the virus.
Experts of Group-IB noted that Troldesh was previously sent out mainly on behalf of Banks, however, at the moment, the attackers stopped doing it, as Banks have strengthened measures to counter phishing.
It is interesting to note that Troldesh can be bought or rented at specialized sites on the Darknet. Judging from the latest attacks, Troldesh not only encrypts files but also mines cryptocurrency and generates traffic to websites, thereby increasing their traffic and revenue from online advertising.
Experts of Group-IB also stressed that a fairly large-scale infrastructure is involved in the virus distribution, which includes servers, infected IoT (Internet of Things) devices, for example, routers. Now the virus distribution campaign is still active.
It is worth noting that Troldesh attacks companies not for the first time. Such attacks were first recorded in 2015, and the largest took place in March 2019. Then messages came from well-known retailers, as well as financial and construction companies.