Remove New Troldesh Ransomware and Restore .da_vinci_code Files

A new version of the well-know Troldesh ransomware (also known as Encoder.858 and Shade ransomware) was just discovered by researchers at Microsoft Malware Protection Center. This latest version appears to be extensively updated.

Other Versions of Troldesh:

Threat Summary

Name	New Troldesh
Type	Ransomware Virus
Short Description	Encrypts files and demands payment.
Symptoms	.da_vinci_code and .magic_software_syndicate extensions are appended to the victim’s files.
Distribution Method	Not known yet, but most likely in spam campaigns, via exploit kits, malicious attachments, etc.
Detection Tool	See If Your System Has Been Affected by New Troldesh Download Malware Removal Tool
User Experience	Join our forum to discuss Troldesh ransomware.
Data Recovery Tool	Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

New Troldesh Ransomware July 2016 Technical Specifications

What’s New in Troldesh’s Latest Version?

Tor functionality;
Glyph/symbol errors on the wallpaper ransom note;
Modified extension names for encrypted files;
Updates in the ransom note that cover the added Tor functionality.
New malware being downloaded to the victim’s PC – Trojan:Win32/Mexar.A;

The most notable modification in this version is the addition of Tor links. Using Tor addresses as the ransom payment method (as opposed to standard www addresses) is the current fashion among ransomware, Microsoft researchers explain.

A Tor address is now included in the ransom note, as opposed to the older Troldesh where an email address was the only way to provide decryption keys.

However, the Tor payment website is not functioning as it is reported to be down (see image above). This means that there’s no way to pay the ransom and recover the files through contacting the cyber criminals.

Other changes in the code of this new Troldesh are the “creative” file extensions – .da_vinci_code and .magic_software_syndicate.

Also, the crypto virus is now capable of encrypting even more file type categories and delivers an additional piece of malware – Mexar (Trojan:Win32/Mexar.A). This is a completely new malware, detected by Microsoft for the first time on July 7. No technical information is available at the moment, but it’s highly likely that the Trojan is an infostealer. We will update the article when we have more information.

Microsoft recently revealed that Troldesh is the tenth most active ransomware family in the past 30 days.

Troldesh Ransomware Removal and Restoration of .da_vinci_code and .magic_software_syndicate Files

Like we already said, paying the ransom is not possible because the Tor website is currently down. You can still remove the threat and try to get your files back via alternative methods. To do this, we advise you to carefully follow the removal instructions below and boot your computer in Safe Mode. From there, you may want to go over and take a look at the Manual and Automatic options for removal below.

In case Troldesh has modified various registry entries and has created additional files, experts strongly advise using an advanced anti-malware program to automatically remove the virus in Safe Mode without damaging your computer.

Manually delete New Troldesh from your computer

Note! Substantial notification about the New Troldesh threat: Manual removal of New Troldesh requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove New Troldesh files and objects

2. Find malicious files created by New Troldesh on your PC

3. Fix registry entries created by New Troldesh on your PC

Automatically remove New Troldesh by downloading an advanced anti-malware program

1. Remove New Troldesh with SpyHunter Anti-Malware Tool

2. Back up your data to secure it against infections and file encryption by New Troldesh in the future

Back up your data to secure it against attacks in the future

IMPORTANT! Before reading the Windows backup instructions, we highly recommend to back up your data automatically with cloud backup and insure it against any type of data loss on your device, even the most severe. We recommend reading more about and downloading SOS Online Backup .

To back up your files via Windows and prevent any future intrusions, follow these instructions:

1. For Windows 7 and earlier

1. For Windows 8, 8.1 and 10

1. Enabling the Windows Defense Feature (Previous Versions)

1-Click on Windows Start Menu

2-Type Backup And Restore
3-Open it and click on Set Up Backup

4-A window will appear asking you where to set up backup. You should have a flash drive or an external hard drive. Mark it by clicking on it with your mouse then click on Next.

5-On the next window, the system will ask you what do you want to backup. Choose the ‘Let Me Choose’ option and then click on Next.

6-Click on ‘Save settings and run backup’ on the next window in order to protect your files from possible attacks by New Troldesh.

1-Press Windows button + R

2-In the window type ‘filehistory’ and press Enter

3-A File History window will appear. Click on ‘Configure file history settings’

4-The configuration menu for File History will appear. Click on ‘Turn On’. After its on, click on Select Drive in order to select the backup drive. It is recommended to choose an external HDD, SSD or a USB stick whose memory capacity is corresponding to the size of the files you want to backup.

5-Select the drive then click on ‘Ok’ in order to set up file backup and protect yourself from New Troldesh.

1- Press Windows button + R keys.

2- A run windows should appear. In it type ‘sysdm.cpl’ and then click on Run.

3- A System Properties windows should appear. In it choose System Protection.

5- Click on Turn on system protection and select the size on the hard disk you want to utilize for system protection.
6- Click on Ok and you should see an indication in Protection settings that the protection from New Troldesh is on.

Restoring a file via Windows Defense feature:
1-Right-click on the encrypted file, then choose Properties.

2-Click on the Previous Versions tab and then mark the last version of the file.

3-Click on Apply and Ok and the file encrypted by New Troldesh should be restored.