Ransomware Research

Troldesh Ransomware

Troldesh is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on September 1, 2015, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Shade.

Quick Facts

Ransomware Family
Troldesh
First Seen
September 1, 2015
Known Aliases
Shade

How Troldesh Ransomware Works

File Encryption Patterns

Troldesh modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

..xbtl..xtbl..cbtl..no_more_ransom..better_call_saul..windows10..dexter..crypted000007..da_vinci_code..breaking_bad..heisenberg..magic_software_syndicate..crypted000078

Ransom Note and Payment Demands

After encrypting files, Troldesh displays ransom notes demanding payment for file recovery:

file/^README\d{1,2}\.txt$/

Ransom message:

notes/README10.txt

Note locations:

DesktopRootDiscs
fileHow to decrypt your files.txt

Ransom message:

notes/How to decrypt your files.txt

Note locations:

DesktopStartUp
screenshot

Ransom message:

notes/How to decrypt your files.jpg

Note locations:

Desktop
screenshot

Ransom message:

notes/How to decrypt your files1.jpg

Note locations:

Desktop
screenshot

Ransom message:

notes/How to decrypt your files2.jpg

Note locations:

Desktop
screenshot

Ransom message:

notes/How to decrypt your files3.jpg

Note locations:

Desktop
screenshot

Ransom message:

notes/How to decrypt your files4.jpg

Note locations:

Desktop
screenshot

Ransom message:

notes/FBD1B9FDFBD1B9FD.bmp

Note locations:

Desktop
screenshot

Ransom message:

notes/wp.jpg

Note locations:

Desktop
screenshot

Ransom message:

notes/HOW TO DECRYPT DATA.jpg

Note locations:

Desktop
screenshot

Ransom message:

notes/DECRYPT.jpg

Note locations:

Desktop
fileDECPYPT FILES.txt

Ransom message:

notes/DECPYPT FILES.txt

Note locations:

Desktop
fileHOW TO DECRYPT DATA.txt

Ransom message:

notes/HOW TO DECRYPT DATA.txt

Note locations:

DesktopStartUp
fileDecryption instructions.txt

Ransom message:

notes/Decryption instructions.txt

Note locations:

DesktopStartUp

Technical Indicators

Associated Executable Files

The following executable files are associated with Troldesh ransomware:

  • csrss.exe
  • CSRSS.Exe
  • CSRSS0.dll
  • ClamWinPortable-OYrhgtQ2.exe
  • TPVCGateway
  • TPVCGateway.exe
  • fan.EXE
  • cuteftp.exe
  • sserv.jpg
  • WUDFHost.exe
  • myfile.exe
  • MSBuild.exe
  • 1c.jpg
  • csrss(188).gxe
  • 1c_1_.jpg
  • 6DYO88DN.exe
  • fan.EXE
  • centurion_legion@aol.com.exe
  • schet.23.05.doc.exe
  • Qki2.dot
  • U1Midlpu.xlt
  • baba all.exe
  • babaalll.exe
  • executable.exe
  • Payload1.exe
  • Payload.exe
  • setap2.exe
  • ninja_gaiver@aol.com.exe

Elastio Can Help You

Don't let Troldesh ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

Learn MoreRequest a Demo

About This Analysis

This Troldesh ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Troldesh.

Last updated: October 30, 2025

Recent Ransomware

Explore other threats in our database

View all ransomware
What is Troldesh Ransomware? | Elastio