Skip to main content
Skip to main content
Microsoft Security

Troldesh ransomware influenced by (the) Da Vinci code

  • Microsoft Defender Security Research Team

(Note: Read our latest comprehensive report on ransomware: Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene.)


We at the MMPC are constantly tracking new and emerging ransomware threats so we can be one step ahead of active campaigns and help protect our users. As part of these efforts, we recently came across a new variant of the Win32/Troldesh ransomware family.

Ransomware, like most malware, is constantly trying to change itself in an attempt to evade detection. In this case, we’ve seen the following updates to Troldesh:

  • Tor functionality
  • Glyph/symbol errors on the wallpaper ransom note
  • Modified extension names for encrypted files
  • New malware being delivered (Trojan:Win32/Mexar.A)
  • Updates the ransom note to cover the Tor functionality

The biggest change in this update is the addition of Tor links. Using Tor addresses as the ransom payment method (as opposed to standard www addresses) is the current fashion among ransomware.

The ransom note now includes links to the Tor address (previously, the only method provided for obtaining decryption was an email address):

The ransom note now includes addresses for payment

However, upon investigation it appears that Tor has blocked the address:

Screenshot showing that the Troldesh payment site has been blocked by Tor

Errors have been introduced into the image that replaces the user’s desktop wallpaper (this occurred to several samples, but not all):

Errors and unknown symbols have been seen in some versions of the wallpaper - the symbols look like blank boxes and random characters

After encryption, Troldesh changes the file’s extension. In the latest update, we’ve seen it use the following strings:

  • .da_vinci_code
  • .magic_software_syndicate

For example, an encrypted file might appear as follows:

A file name that is a series of random characters and ends in .da_vinci_code

The list of file types that Troldesh encrypts has also increased – see the Win32/Troldesh description for a full list.


To help stay protected:

  • Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive
  • Enable file history or system protection. On Windows 10 and Windows 8.1, set up a drive for file history
  • Use OneDrive for Business
  • Beware of phishing emails, spams, and clicking malicious attachment
  • Use Microsoft Edge to get SmartScreen protection. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs
  • Disable your Remote Desktop feature whenever possible
  • Use two factor authentication
  • Use a safe Internet connection
  • Avoid browsing web sites that are known for being malware breeding grounds (such as illegal music, movies and TV, and software download sites)



In the Office 365 “How to deal with ransomware” blog, there are several options on how you might be able to remediate or recover from a ransomware attack, including backup and recovery using File History in Windows 10 and System Restore in Windows 7.

You can also use OneDrive and SharePoint to backup and restore your files:


Patrick Estavillo


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.