- Home
- Detectable Ransomware
- Troldesh
Ransomware Research
Troldesh Ransomware
Troldesh is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on September 1, 2015, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Shade.
Quick Facts
- Ransomware Family
- Troldesh
- First Seen
- September 1, 2015
- Known Aliases
- Shade
How Troldesh Ransomware Works
File Encryption Patterns
Troldesh modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..xbtl
..xtbl
..cbtl
..no_more_ransom
..better_call_saul
..windows10
..dexter
..crypted000007
..da_vinci_code
..breaking_bad
..heisenberg
..magic_software_syndicate
..crypted000078
Ransom Note and Payment Demands
After encrypting files, Troldesh displays ransom notes demanding payment for file recovery:
/^README\d{1,2}\.txt$/
Ransom message:
notes/README10.txt
Note locations:
Desktop
RootDiscs
How to decrypt your files.txt
Ransom message:
notes/How to decrypt your files.txt
Note locations:
Desktop
StartUp
Ransom message:
notes/How to decrypt your files.jpg
Note locations:
Desktop
Ransom message:
notes/How to decrypt your files1.jpg
Note locations:
Desktop
Ransom message:
notes/How to decrypt your files2.jpg
Note locations:
Desktop
Ransom message:
notes/How to decrypt your files3.jpg
Note locations:
Desktop
Ransom message:
notes/How to decrypt your files4.jpg
Note locations:
Desktop
Ransom message:
notes/FBD1B9FDFBD1B9FD.bmp
Note locations:
Desktop
Ransom message:
notes/wp.jpg
Note locations:
Desktop
Ransom message:
notes/HOW TO DECRYPT DATA.jpg
Note locations:
Desktop
Ransom message:
notes/DECRYPT.jpg
Note locations:
Desktop
DECPYPT FILES.txt
Ransom message:
notes/DECPYPT FILES.txt
Note locations:
Desktop
HOW TO DECRYPT DATA.txt
Ransom message:
notes/HOW TO DECRYPT DATA.txt
Note locations:
Desktop
StartUp
Decryption instructions.txt
Ransom message:
notes/Decryption instructions.txt
Note locations:
Desktop
StartUp
Technical Indicators
Associated Executable Files
The following executable files are associated with Troldesh ransomware:
csrss.exe
CSRSS.Exe
CSRSS0.dll
ClamWinPortable-OYrhgtQ2.exe
TPVCGateway
TPVCGateway.exe
fan.EXE
cuteftp.exe
sserv.jpg
WUDFHost.exe
myfile.exe
MSBuild.exe
1c.jpg
csrss(188).gxe
1c_1_.jpg
6DYO88DN.exe
fan.EXE
centurion_legion@aol.com.exe
schet.23.05.doc.exe
Qki2.dot
U1Midlpu.xlt
baba all.exe
babaalll.exe
executable.exe
Payload1.exe
Payload.exe
setap2.exe
ninja_gaiver@aol.com.exe
Elastio Can Help You
Don't let Troldesh ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Troldesh ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Troldesh.
Last updated: September 30, 2025
Recent Ransomware
Explore other threats in our database