Shade ransomware witnesses huge spike in activity through malspam campaigns

  • Researchers at Avast confirmed the rise in Shade ransomware activity and claimed the attacks predominantly targeted Mexico and Russia.
  • Its recent campaigns came with the capability to not only encrypt files but also mine cryptocurrencies and amplify traffic on certain websites to generate revenue.

A Singapore-based security outfit recently examined a bunch of malspam emails detected in the first half of 2019 and noted that Shade Ransomware topped the list for the most actively distributed malware via malicious email phishing campaigns.

Shade Ransomware is known for using constantly changing Tor command-and-control (C2) servers that make it difficult to track and block. It is sold or rented on various crimeware markets, often under the name Troldesh.

Researcher’s insights

Group-IB’s Computer Emergency Response Team (CERT-GIB) revealed Shade Ransomware as the main malware strain used by attackers to infect target computers in H1 2019.

  • As per the claim, three of the most widespread tools used in attacks were Troldesh (53 percent), RTM (17 percent) and Pony Formgrabber (6 percent).
  • The creators of the ransomware are constantly upgrading it with new features and capabilities keeping its demand up among the cybercriminals.
  • Ransomware attacks have seen a huge boost during recent campaigns as compared to malware activity from 2018, which was dominated by backdoors and banking trojans.
  • Earlier in June 2019, Group-IB reported a spike in Shade Ransomware infections with more than 1100 phishing emails containing Troldesh. However, the second quarter saw the number exceeding 6,000.

Traits of the new variant

  • As per Group-IB researchers, the recent campaigns with Troldesh come with the capability to not only encrypt files but also mine cryptocurrencies and amplify traffic on certain websites to generate revenue from online advertising.
  • The differentiating factor of Troldesh (from other ransomware variants) “is the huge number of readme#.txt files with the ransom note dropped on the affected system, and the contact by email with the threat actor," Malwarebytes Labs said.

"Otherwise, it employs a classic attack vector that relies heavily on tricking uninformed victims. Nevertheless, it has been quite successful in the past, and in its current wave of attacks," the researchers concluded.

Observations made by other researchers

Researchers at Avast confirmed its rise in activity, said the attack predominantly targeted Mexico and Russia. Potential victims were from UK and Germany though. Malwarebytes researchers also noted a spike in the activity of the ransomware from Q4 2018 to Q1 2019 as part of an active, successful campaign.

Kaspersky Lab and Intel Security had earlier released two Shade Ransomware decryptor tools on the No More Ransom website, but it remains to be seen if they would work on new variants.