Security Market Segment LS
Wednesday, 29 April 2020 10:25

Shade ransomware group exits scene, releases thousands of decryption keys

Shade ransomware group exits scene, releases thousands of decryption keys Image by Arek Socha from Pixabay

A group that was distributing Windows ransomware known as Shade or Troldesh has pulled up stumps and released about 750,000 encryption keys, offering an apology for its actions during its existence.

Security provider Malwarebytes said a user who claimed to represent the group had said on GitHub last Sunday that the group's decryption software would also be published.

Malwarebytes researcher Pieter Arntz cautioned victims from using this tool to try and decrypt any data, and said it would be better to wait for a tool to be released by the No More Ransom project.

That project is run by the National High Tech Crime Unit of the Dutch Police, Europol's European Cybercrime Centre, and security vendors Kaspersky and McAfee. Its goal is to help victims of ransomware recover their data without having to pay a ransom.

Arntz said victims could check and see if any of their encrypted files had the following extensions: xtbl, ytbl, breaking_bad, heisenberg, better_call_saul, los_pollos, da_vinci_code, magic_software_syndicate, windows10, windows8, no_more_ransom, tyson, crypted000007, crypted000078, rsa3072, decrypt_it, dexter and miami_california.


Number of Malwarebytes detections of Ransom.Troldesh from July 2018 till April 2020. Courtesy Malwarebytes

"If the file extensions from your affected system(s) do not match one [of these], then your files are outside of the scope of this decryption tool," he said. "If you do find a match you should wait for the decryption tool to be published."

When it came to the question of why Shade had decided to exit the scene, Arntz offered some likely explanations.

"Maybe their conscience caught up with them. After all they do apologise to the victims," he said. "But these are only the victims that didn’t pay or were unable to recover their files despite paying the ransom."

He said a second reason could be because the Shade team suspected that someone had breached their key vault; hence they were forced or decided on their own accord to publish the keys. But, he added, there had been no claims to support this possibility.

Another possible reason was that the profitability of the ransomware may have peaked.

"Ransom.Troldesh has been around since 2014 and we saw a steep detection spike once the threat actors ventured outside of Russian targets in February of 2019," said Arntz. "But after that initial spike the number of detections gradually faded out. It was still active and generating money though."

A final reason that Arntz offered was that the development of this ransomware may have reached its technical limit and the team was therefore focusing on a new software project.

"The team stated to have stopped distribution in the end of 2019, but failed to let on what they are currently working on," he added.

Subscribe to ITWIRE UPDATE Newsletter here

Active Vs. Passive DWDM Solutions

An active approach to your growing optical transport network & connectivity needs.

Building dark fibre network infrastructure using WDM technology used to be considered a complex challenge that only carriers have the means to implement.

This has led many enterprises to build passive networks, which are inferior in quality and ultimately limit their future growth.

Why are passive solutions considered inferior? And what makes active solutions great?

Read more about these two solutions, and how PacketLight fits into all this.


WEBINAR INVITE 8th & 10th September: 5G Performing At The Edge

Don't miss the only 5G and edge performance-focused event in the industry!

Edge computing will play a critical part within digital transformation initiatives across every industry sector. It promises operational speed and efficiency, improved customer service, and reduced operational costs.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

But these technologies will only reach their full potential with assured delivery and performance – with a trust model in place.

With this in mind, we are pleased to announce a two-part digital event, sponsored by Accedian, on the 8th & 10th of September titled 5G: Performing at the Edge.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News