Shade Ransomware operates ceases their operation

A recent report states the Shade operators would be ending all their operations. With this, the longest running ransomware strain since 2014 -when the security researchers detected the variants’ encrypting victim’s data- draws to a close. The criminals’ gang has been active from that point of time with campaigns being conducted at a fairly constant rate. Their activities fell off a cliff with their announcements:

“We are the team which created a trojan-encryptor mostly known as Shade, Troldesh, or Encoder.858. In fact, we stopped its distribution at the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all). We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.”

The Gang took to GitHub in 2019 to make this announcement. This message confirms that the gang released some 750,000 decryption keys for helping the victims to get their files back. They did as an act of a good faith. Kaspersky Labs researcher Sergey Golovanov already verified these keys. The security firm is now working on a decryption tool which would make the decryption process much easier. Nothing has announced about the data when this tool will be released, however, it can anticipate that this will be available in near future. Kaspersky Labs are the ones who have the experience of dealing with Shade as they released several decryption tools.

While the release of the tool can be seen as an act of good faith, it does come with a number of caveats. It is true that the release of the tool will help a number of victims to access to their data encrypted by the ransomware. This release of the tool assist the kaspersky to create a much needed to be a granted decryptor.

As said earlier in the introduction, the story of shade ransomware began in 2014. The gang distributed it via using spam email campaigns and exploit kits the both. It was not a perfect strain as it can be seen by multiple decryption programs developed by kaspersky and other security firms. The first distribution method was discovered by Avast. It took place in June 2019 when the security firm was able to block 100,000 instances of ransomware, tracked as Troldesh. The campaign targeted individuals in US, UK and Germany. However, by far the most detection occurred in Russia and Mexico. Avast noted that the ransomware had been spread via spam emails, instances of the malware were seen been distributed via social media and messaging platforms. They further noticed:

“We see a spike in the number of its attacks that is probably more to do with Troldesh operators trying to push this strain harder and more effectively than any kind of significant code update. Troldesh has been spreading in the wild for years with thousands of victims with ransomed files and it will probably stay prevalent for some time.”

The second campaign was analyzed by MalwareBytes. They did it when they are dealing a spike in a detection that started towards at the end of 2018 and ran through till half of Q1 of 2019. The spike in the activity would appeared ransomware gangs started slowing the distribution in the favour of distribution other malware such as cryptocurrency miners.

Again, the ransomware was spread via attaching the malicious code of it within some file as an attachment of a spam email. The file was often of a zip one, if opened- it extracted a JavaScript file containing the payload of the ransomware. Once executed, the infection would begin with files encryption and their appending with certain extension name. A .txt file appeared following to this with a piece of instruction on how to pay the ransom in order to have files decrypted. The Researchers stated:

“Victims of Troldesh are provided with a unique code, an email address, and a URL to an onion address. They are asked to contact the email address mentioning their code or go to the onion site for further instructions. It is not recommended to pay the ransom authors, as you will be financing their next wave of attacks. What sets Troldesh apart from other ransomware variants is the huge number of readme#.txt files with the ransom note dropped on the affected system, and the contact by email with the threat actor. Otherwise, it employs a classic attack vector that relies heavily on tricking uninformed victims. Nevertheless, it has been quite successful in the past, and in its current wave of attacks. The free decryptors that are available only work on a few of the older variants, so victims will likely have to rely on backups or roll-back features.”

While one gang has decided to cease all operations, for many, it is business as usual. Therefore, you should not let the guard down. Microsoft’s Threat Protection Intelligence team has issued a warning that this time the attackers have not threaten to release the data publically, this does not mean they have not stolen it. Further, they stated:

“Multiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.”

You should defend against falling victim to the ransomware gangs. Microsoft advises the network admins to scour PowerShell, Cobalt Strike, and other penetration testing tools. They should also look for suspicious access to the Local Security Authority Subsystem Service and suspicious registry modification as well as evidence of tampering with security logs. These advices are the because of these vulnerabilities: