Home / Spyware Help / Troldesh Ransomware Removal Guide

Troldesh Ransomware Removal Guide

by 0 Comments

Do you know what Troldesh Ransomware is?

Our malware researchers have analyzed a new malicious application known as Troldesh Ransomware, and as it turns out, it is set to encrypt your files and request payment for the decryption tool. Apparently, this malware was created for the purpose of making easy money because some people will pay as much as it is needed to get their files back. It can enter your computer if it is not protected by an anti-malware application and encrypt your files and, in this article, we will tell you everything you need to know about it in case it enters your computer. We advocate for the safe removal of this program, and we suggest consulting the instructions on how to get rid of it found below.

Our security analysts have obtained this ransomware’s dropper file and ran in on a test computer in our internal lab. It turns out that, upon infection, its executable named csrss.exe is placed in C:\ProgramData\Windows. Furthermore, this ransomware creates a registry string called Client Server Runtime Subsystem in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run that is set to run csrss.exe on each system startup. However, this ransomware does not encrypt new files on each start up. Testing has also shown that this ransomware will add the extension called .xtbl to each encrypted file and change the desktop wallpaper with an image that functions as the ransom note.Troldesh Ransomware Removal GuideTroldesh Ransomware screenshot
Scroll down for full removal instructions

This image says that all of your important files have been encrypted and that you need to open a text file named README.txt that is set to be dropped on the desktop and in all folders where files have been encrypted. In short, README.txt says that your files have been encrypted and that you have to send the provided code to one of two included email addresses. Then, you will receive further instructions on how to pay the ransom. Researchers have found that the cyber criminals usually demand $280 to $130 that you are expected to pay in Bitcoins.

According to our researchers, Troldesh Ransomware is set to encrypt dozens of file formats that include xml, mp3, db, dat, ini, log, json, gif, png, bmp, js, wmv jpg, txt, and bin, among other file formats. It goes without saying that this ransomware targets files that are more likely to contain personal and valuable information for which you would be willing to pay the asked amount of money. However, we want you to consider the possibility that the cyber criminals might not send you the decryption tool, and your files will remain encrypted indefinitely. Now that you know how this ransomware works let us take a closer look at its possible dissemination methods.

In truth, there is literally no information about how Troldesh Ransomware can infect your computer, but we want to mention a few most probably ways it can enter your PC. First, email spam is a favorite among ransomware developers since a well-executed social engineering ploy can convince users to open a fake email and open the dropper file attached to it. This will initiate the infection, and if you do not have an antimalware application, then there is no way to stop it. It might also infect your computer if you click fake download buttons of websites that host pirated software. The methods used to disseminate it are only limited by the imagination of the people that created it.

Since Troldesh Ransomware is a highly malicious application, we advise that you remove it as soon as possible. Our security specialists have made a manual removal guide that you can use. However, a safer approach is to use an antimalware application such as SpyHunter as it is more than capable of deleting this ransomware and protecting your PC from future infections.

Removal Guide

  1. Simultaneously press Windows+E keys.
  2. Type C:\ProgramData\Windows in the address box.
  3. Find csrss.exe and delete it.
  4. Close the window.

Delete the registry key

  1. Simultaneously press Windows+R keys.
  2. Type regedit in the dialog box and click OK.
  3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. Find Client Server Runtime Subsystem and delete it.
  5. Close the Registry Editor.

In non-techie terms:

Troldesh Ransomware is a type of malware that is dedicated to encrypting your files for the purpose of extracting money from you. Its developers demand that you pay a ransom for the decryption tool. Even though they usually do not ask for much, we think that paying it is a bad idea because you might not get the decryption tool in the end anyway. So do not hesitate and remove this infection ASAP.