Conscience spoke through cybercriminals(?)

Computer work - cybersecurity

The Shade Ransomware (Troldesh) has been shut down. After closing all their operations and releasing over 750,000 decryption keys people from organization apologized to their victims for the harm they cause.

The Shade Ransomware has been in operation since around 2014. Unlike other ransomware families that specifically avoid encrypting victims in Russia and other CIS countries, Shade targets people in Russia and Ukraine predominantly.

Reportedly submission related to the Shade Ransomware has been steady over the years until the end of 2019 when it started to dwindle. 

During the weekend (25-26. April), operators created a GitHub repository and stated that they stopped distributing the ransomware at the end of 2019. As part of this statement, the ransomware operators apologize for their actions and provide instructions on how to recover files using the released keys.

“We are the team which created a trojan-encryptor, mostly known as Shade, Troldesh, or Encoder.858. In fact, we stopped its distribution in the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all). We are also publishing our decryption soft; we also hope that having the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data,” can be read on the GitHub post.

Included in the repository are five master decryption keys, over 750 thousand individual victim’s decryption keys, instructions on how to use them, and a link to their decryption program. However, using the decryptor is not very straight forward, and victims may have trouble getting it to work correctly.

Kaspersky Lab confirmed that the keys are valid and used them to decrypt a test machine.

The cybersecurity company, as likely others from the industry, will be updating its ransomware decryption tool to include these keys and make it easier for victims to recover their files for free. So far, there is no timeline as of yet as to when the decryption tool will be updated.

- 28 April 2020 - EN