Troldesh, also known as Encoder.858 and Shade, targets Windows OS and it is distributed via the Axpergle and Nuclear exploit kits. First seen in 2015, Troldesh previously provided an email address for victims to contact the attackers in order to negotiate the payment of the ransom. A recently discovered version of Troldesh, however, now uses a payment portal located on the Dark Web and requires victims to use Tor in order to visit the site and submit the ransom amount. It also comes bundled with additional malware named Mexar, downloads the Teamspy bot to obtain remote control of the victim’s machine, and requests URLs of other malware sites from its C2 server. It also scans the victim’s machine for banking files and software in an attempt to extort as much money as possible out of the victim. The original version appended .xbtl or .cbtl to encrypted files. The new version of Troldesh appends either .da_vinci_code or .magic_software_syndicate to encrypted files. The ransom amount varies and one Check Point security researcher reported negotiating a discount from the attackers behind the campaign.
UPDATE 11/28/2016: A newly discovered Shade sample appends .no_more_ransom to encrypted files.
UPDATE 4/16/2017: A new version appends .dexter to encrypted file names.
UPDATE 5/1/2017: A new version appends .crypted000007 to encrypted file names.