Security provider Malwarebytes said a user who claimed to represent the group had said on GitHub last Sunday that the group's decryption software would also be published.
Malwarebytes researcher Pieter Arntz cautioned victims from using this tool to try and decrypt any data, and said it would be better to wait for a tool to be released by the No More Ransom project.
That project is run by the National High Tech Crime Unit of the Dutch Police, Europol's European Cybercrime Centre, and security vendors Kaspersky and McAfee. Its goal is to help victims of ransomware recover their data without having to pay a ransom.
Number of Malwarebytes detections of Ransom.Troldesh from July 2018 till April 2020. Courtesy Malwarebytes
"If the file extensions from your affected system(s) do not match one [of these], then your files are outside of the scope of this decryption tool," he said. "If you do find a match you should wait for the decryption tool to be published."
When it came to the question of why Shade had decided to exit the scene, Arntz offered some likely explanations.
"Maybe their conscience caught up with them. After all they do apologise to the victims," he said. "But these are only the victims that didn’t pay or were unable to recover their files despite paying the ransom."
He said a second reason could be because the Shade team suspected that someone had breached their key vault; hence they were forced or decided on their own accord to publish the keys. But, he added, there had been no claims to support this possibility.
Another possible reason was that the profitability of the ransomware may have peaked.
"Ransom.Troldesh has been around since 2014 and we saw a steep detection spike once the threat actors ventured outside of Russian targets in February of 2019," said Arntz. "But after that initial spike the number of detections gradually faded out. It was still active and generating money though."
A final reason that Arntz offered was that the development of this ransomware may have reached its technical limit and the team was therefore focusing on a new software project.
"The team stated to have stopped distribution in the end of 2019, but failed to let on what they are currently working on," he added.