A Singapore-based security outfit recently examined a bunch of malspam emails detected in the first half of 2019 and noted that Shade Ransomware topped the list for the most actively distributed malware via malicious email phishing campaigns.
Shade Ransomware is known for using constantly changing Tor command-and-control (C2) servers that make it difficult to track and block. It is sold or rented on various crimeware markets, often under the name Troldesh.
Group-IB’s Computer Emergency Response Team (CERT-GIB) revealed Shade Ransomware as the main malware strain used by attackers to infect target computers in H1 2019.
Traits of the new variant
"Otherwise, it employs a classic attack vector that relies heavily on tricking uninformed victims. Nevertheless, it has been quite successful in the past, and in its current wave of attacks," the researchers concluded.
Observations made by other researchers
Researchers at Avast confirmed its rise in activity, said the attack predominantly targeted Mexico and Russia. Potential victims were from UK and Germany though. Malwarebytes researchers also noted a spike in the activity of the ransomware from Q4 2018 to Q1 2019 as part of an active, successful campaign.
Kaspersky Lab and Intel Security had earlier released two Shade Ransomware decryptor tools on the No More Ransom website, but it remains to be seen if they would work on new variants.