ESET Detected the infection as "win32/filecoder.nfy" as well. There was only one file that was created that I can see, on the desktop folder of a different user on this server, named "How to decrypt your files.txt", containing only this: "To decrypt your data write me to firstname.lastname@example.org"
...(aka Troldesh, Shade, Encoder.858) is a crypto malware detection by ESET. According to their research lab, there are several different variants.Troldesh (Shade)
is a crypto-ransomware variant created in Russia that appends encrypted data files with an .XTBL
extension to the end of each filename. In later versions, Kaspersky lab advises the malware added the infected computers ID and then the .xtbl extension to the file name like this example...ArSxrr+acw970LFQw.043C17E72A1E91C6AE29.xtbl
. According to ESET, the newer variants append an additional .<id-random>.<email>.xtbl
Troldesh leaves files (ransom notes) with names like README1.txt, READEME2...README10.txt and How to decrypt your files.txt.
Do your encrypted files have the .XTBL
extension in the file name?