The operators of the Shade ransomware have released decryption keys to allow victims to decrypt their files, and also claim to have stopped all development and distribution of the malware.
Shade has been in circulation since at least 2014 and at some points was one of the more active ransomware variants around. It’s associated with Russian-language actors and like most ransomware strains, it is mainly circulated through spam phishing emails with malicious attachments. Those attachments are usually zip files and have some lure to entice the victim to open them. Shade is also known as Troldesh, and while there have been decryption tools for some versions of it for some time, the release of decryption keys for all of the victims is a different story.
Over the weekend, the Shade operators posted the keys to GitHub and posted an apology to victims, for whatever that’s worth. They also claim to have destroyed all of the source code for the ransomware.
“We are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all),” the message says.
“We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.”
Security researchers quickly verified that the keys do in fact decrypt Shade-encrypted computers. There have been a number of other examples of ransomware creators or operators releasing decryption tools or keys for their own ransomware in the past. The most notable example is the TeslaCrypt group, which released a decryption tool in 2016, and some others have followed suit, including the HildaCrypt group.
Security researchers have also had some success in creating third-party decryption tools for some ransomware variants, including CoinVault, Wildfire, and others. In addition to the decryption keys, the Shade group’s post also includes detailed instructions on how to decrypt affected files.
Like many other ransomware strains, Shade is not used just by one group but is often sold or provided as a service to various criminal groups. Shade infections were quite prevalent last year, but the group behind the ransomware says that it had ended most of its activity by the close of 2019.