loader gif

An overview of the Shade ransomware and its shady activities

access, antivirus, attack, business, computer, concept, cyber, cybercrime, danger, data, encrypt, encrypted, encryption, hacker, immunization, infected, infection, information, internet, key, lock, macro, mail, malicious, malware, money, network, online, pay, phishing, piracy, pirate, protect, protection, ransom, ransomware, risk, safe, safety, secure, security, software, spam, spyware, technology
  • Shade ransomware has been around since 2014.
  • The top impacted industries from the ransomware are high-tech, wholesale and education sectors.

The recent trends of Shade ransomware, also known as Troldesh, shows that it is an upcoming malware in the ransomware family. According to the ‘Cybercrime Tactics and Techniques Q1 2019’ report by Malwarebytes, it has been found that a majority of ransomware attacks reported in the first quarter of 2019 was conducted by the Shade ransomware.

Origin of the ransomware

Shade ransomware has been around since 2014. The origin of the malware is believed to be Russian because its ransom notes are written in both Russian and English language. The countries affected by the infection of this ransomware include the United States, Japan, Thailand, Canada and Russia. The top impacted industries are high-tech, wholesale and education sectors.

How does it spread?

Shade ransomware typically spreads by malspam. These malicious spam emails include malicious email attachments which are usually zip files. The infected zip files contain Javascript code, which if opened, results in the download of the malware.

The payload is often hosted on sites with a compromised Content Management System (CMS). The ransomware usually targets systems running Windows OS.

What is its behavior?

Once the ransomware is deployed, it initiates the encryption process on the victim’s machines. Troldesh looks for files with specific extensions on fixed, removable and remote drives.

It uses AES 256 algorithm in CBC mode to encrypt files. For each encrypted file, two random 256-bit AES keys are generated. One key is used to encrypt the file’s contents, while the other is used to encrypt the file name.

After encrypting, it drops a ransom note named ‘readme#.txt’ to guide victims about the payment process.

What are the new changes?

Since its inception, the ransomware has undergone very little change. Since 2016, the Shade ransomware has been found using .crypted000007 extension for any encrypted files. However, the Tor address at cryptsen7f043rr6.onion remains the same.

The bottom line

Researchers note that the ransomware is very active outside of Russia and is possibly targeting more English-speaking users. As there is no decryption key for the ransomware, users are advised to follow basic security tips to stay safe from Shade ransomware attacks. This includes keeping the security solution up-to-date, using whitelist software, keeping a back up of files and updating system software periodically.

loader gif