Shade Ransomware shuts down, releases 750K decryption keys

struppigel · Apr 28, 2020

The operators behind the Shade Ransomware (Troldesh) have shut down their operations, released over 750,000 decryption keys, and apologized for the harm they caused their victims.

The Shade Ransomware has been in operation since around 2014. Unlike other ransomware families that specifically avoid encrypting victims in Russia and other CIS countries, Shade targets people in Russia and Ukraine predominantly.

According to Michael Gillespie, the creator of the ransomware identification site ID Ransomware, submission related to the Shade Ransomware has been steady over the years until the end of 2019 when it started to dwindle.

Facts in a nutshell:

Keys and decrypter released here: github.com/shade-team/keys
The decrypter is not user friendly. So Kaspersky will be updating its RakhniDecryptor with the keys.

upnorth · Apr 28, 2020

We are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all). We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.

Note: Some of the published software is detected by some antiviruses because it uses common code blocks with the encryptor. To avoid the deletion of them all the exe files were zipped with the same password: 123454321

Full source :

shade-team/keys

Contribute to shade-team/keys development by creating an account on GitHub.

github.com

Chuck57 · Apr 28, 2020

Assuming they took money to release the files through the years, are they apologetic enough to repay it?

Gandalf_The_Grey · Apr 30, 2020

Decrypt all strains of Shade ransomware:

A decrytption utility for Shade ransomware is now available

Kaspersky researchers publish the decryptor that can help get back files encrypted by all strains of Shade/Troldesh ransomware.

www.kaspersky.com

The new Shade decryptor is now available on noransom.kaspersky.com, and it can help people get back their files encrypted by Shade, no matter which version of Shade got them into trouble.

plat · May 2, 2020

Bitdefender Labs

Daily source of cyber-threat information. Established 2001.

labs.bitdefender.com

Dave Russo · May 3, 2020

Chuck57 said:
Assuming they took money to release the files through the years, are they apologetic enough to repay it?

good point

HunterX · May 3, 2020

good news thank you

Antus67 · May 3, 2020

Beware of the Trojan Horse in diguise ..............I wonder what their hidden agenda is?? Once a snake always a snake

CyberPanther · May 3, 2020

I hope all are well and safe.

Further to the positive news of Shade Ransomware shuts down, releases 750K decryption keys:

https://www.bleepingcomputer.com/ne...are-shuts-down-releases-750k-decryption-keys/

https://malwaretips.com/threads/shade-ransomware-shuts-down-releases-750k-decryption-keys.100414/

Bitdefender and Kaspersky released their decryption tools to assist victims:

Bitdefender:

https://labs.bitdefender.com/2020/05/shade-troldesh-ransomware-decryption-tool/

Kaspersky:

https://noransom.kaspersky.com/

I hope this will be useful to everyone>

Search

Shade Ransomware shuts down, releases 750K decryption keys

struppigel

Moderator

upnorth

Moderator

shade-team/keys

Chuck57

Level 9

Gandalf_The_Grey

Level 76

A decrytption utility for Shade ransomware is now available

plat

Level 29

Bitdefender Labs

Dave Russo

Level 21

HunterX

New Member

Antus67

Level 9

CyberPanther

Level 6

Similar threads