Security researchers from the Microsoft Malware Protection Center (MMPC) have come across a new version of the Troldesh ransomware, also dubbed Encoder.858 and Shade Ransomware.

While ransomware variants constantly evolve with small tweaks here and there, this version of Troldesh comes with extensive modifications to the threat's entire mode of operation.

Troldesh evolves from personal email conversations to TOR payment site

This recent version of Troldesh has finally made the jump to the Dark Web, utilizing a dedicated payment portal where users can go, enter a special ID from the ransom note, and receive further instructions on how to pay the ransom.

Previous versions of Troldesh just displayed an email address where users were asked to send an email to receive further instructions.

Security researchers often report these email addresses to the services where they are hosted and have them taken down.

Tor payment site is currently down making file recovery impossible

Troldesh's authors probably had enough of constantly creating new email addresses and compiling new ransomware versions that included these (different) email addresses in the ransom note, and decided to use a Tor website instead.

Using a Tor website is also a good thing for victims (if getting infected with ransomware can be considered good in any way), at least for those who want to pay the ransom.

After an email address is taken down, victims do not have a way to contact the ransomware authors and have no other means of recovering the files. Taking down a Tor-based website is a little harder, even impossible, for a security firm.

In its current ransom notes, Troldesh uses Tor network proxy servers to list the Tor URLs, via the onion.to and the onion.cab websites. The onion.cab URL is currently down, according to Microsoft, and users that want to pay can access that site using the Tor Browser and typing the URL, except the .cab at the end.

New and more artsy file extensions

Other changes included with Troldesh is the usage of two creative extensions that are added to the end of encrypted files: .da_vinci_code and .magic_software_syndicate.

There are also some errors in the ransom note, but not that significant. Additionally, Troldesh now encrypts even more file type categories and also infects users with additional malware called Mexar. This malware is new, and Microsoft saw it for the first time on July 7. As such, there are very few details about what this threat does.

In statistics released a few days ago, Microsoft ranked Troldesh as the tenth most active ransomware family in the past 30 days.