The threat actors behind the Shade ransomware have called it quits, releasing 750,000 encryption keys on GitHub and publicly apologizing to victims affected by the malware.
User “shade-team” posted four files on the code repository earlier this week, one containing the file keys and four “ReadMe” files with decryption instructions and other information.
“We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools,” the team wrote in the post, adding that all the other data related to the group’s activity, as well as the trojan’s source code “was irrevocably destroyed.”
“We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data,” the team wrote.
Sergey Golovanov, a Kaspersky security researcher, confirmed that the decryption keys worked via tweet. “#Shade #Troldesh #Encoder.858 #ransomware just dropped all keys to public https://github.com/shade-team/keys decryption tools will be available ASAP!” He added, “And yes. Keys are real…”
And yes. Keys are real. Just checked.
— Sergey @k1k_ Golovanov📡 (@k1k_) April 27, 2020
Shade, a ransomware that encrypts files and adds various extensions to them, was first discovered in late 2014 by Kaspersky and for years known mainly to target Russian victims. Spreading through malspam emails, the ransomware quickly established itself among the top three most widespread encryptors there, researchers said at the time of its discovery.
Typically the emails would link to an archive, archive attachment or attached PDF with a link to an archive that was disguised as an invoice or bill. These links and attachments then would lead to a Javascript or other script-based file that is designed to retrieve the Shade executable file.
Last year, however, research from Palo Alto Networks’ Unit 42 emerged that Shade’s threat actors had expanded their scope outside of Russia with the majority of the ransomware’s executables actually occurring in other countries. At the time, researchers said that the top five countries affected by Shade were the United States, Japan, India, Thailand and Canada.
Researchers also noted how consistent Shade’s payload remained during the five years the ransomware was active. When a Windows host became infected with Shade ransomware, its desktop background announced the infection, and then 10 text files would appear on the desktop, named README1.txt through README10.txt.
The desktop background message of the attack would read: “Attention! All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.”
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.
