Shade ransomware releases decryption keys and shuts down


Shade developers voluntarily shut down the ransomware after five years of existence

Shade ransomware comes to the end

Shade ransomware comes to the end

Shade ransomware, a.k.a. Troldesh or Encoder.858 is known as one of the most proliferate file-encrypting cyber infection since 2014. Actors behind this threat have been improving the malware multiple times and deserved an “award” of the most successful ransomware project[1]. Shade ranked 1st in the Group-IB’s Computer Emergency Response Team (CERT-GIB) research holding 57% as the most actively distributed malware via email spam campaigns[2].

Shade ransomware has been suspended by Europol, the Dutch National High Tech Crime Unit, Intel, and Kaspersky forces by releasing a free decryption tool on No More Ransom[3] project. The software allowed victims to decrypt some of the files locked by Shade. Nevertheless, malware developers kept on initiating spam email campaigns spreading ransomware payload since the end of 2019 attacking victims in Russia, Ukraine, and other Commonwealth of Independent States (CIS) countries.

Finally, after causing enormous losses to regular users, companies, and businesses, the criminals behind Shade ransomware decided to shut down the project and released over 750,000 unique decryption keys for its victims on a GitHub repository[4]. Criminals did not reveal what pushed them to stop this profitable business, awakened conscience, or fear of being caught one day. Still, the group voluntarily related five head keys for decryption, which consist of 750,000 unique decryption keys, thorough guidance on how to use them, and a direct link to the original decryption software.

All versions can be decrypted, but regular users can face difficulties.

Shade ransomware project has been active for five years, and its developers were savvy enough to keep a step ahead of cybersecurity experts. The crypto-malware has been regularly updated and contains more than 15 variants. Due to the regular updates, the virus was extremely persistent and challenging to shut down.

However, Shade ransomware developers manifested their “kindness” and stopped distributed the malware since the end of 2019 and provided victims with the decryption software that can unlock files with the following extensions:

  • xtbl
  • ytbl
  • breaking_bad
  • heisenberg
  • better_call_saul
  • los_pollos
  • da_vinci_code
  • magic_software_syndicate
  • windows10
  • windows8
  • no_more_ransom
  • tyson
  • crypted000007
  • crypted000078
  • rsa3072
  • decrypt_it
  • dexter
  • miami_california

Nevertheless, regular PC users may not be able to use a free Shade decryption tool due to the lack of IT knowledge. Although the instructions are provided alongside, there are way too many requirements, such as disable antivirus, create new folders, subfolders, enter specific keys, download exe files, etc.

Since security vendors are aware of the free decryption keys and spokesperson for Kaspersky Labs[5] has already confirmed that they are valid, it’s only a matter of time when a simplified version of Shade decryptor will be released. Therefore, victims are advised not to risk interfering with the system’s integrity and wait for a release of approved decryption software.

Criminals behind Shade officially apologized

The team that has been working long behind the Shade ransomware for five years has shut down the service and apologized to victims. As pointed out on GitHub:

We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.

Even though thousands of people will be able to retrieve their data without paying the ransom, we can only guess how many victims have paid and what profit criminals managed to gain. Unfortunately, no compensations are offered except for an apology.