A Brief Look At The Shade Ransomware (2019 variant)

A Brief Look At The Shade Ransomware 2019 variant 1

2019 is shaping up as a year when ransomware infection frequency declined by orders of magnitude, compared to the year 2017 when such malware variant made headlines for causing trouble for millions globally. It was very hard not to notice the everyday news about a firm or a public agency becoming the newest victim of ransomware and their struggle with the ransom demand (the money the victims have to pay to restore their files). Of course, that does not mean that news about company X becoming a ransomware target, it still happens but very far few in-between.

Some other ransomware was too old, predated WannaCry for years, but making a comeback this year, 2019. This scenario is what Shade ransomware is exhibiting at the moment, last known active in the wild five years ago in 2014 by Kaspersky Labs. Palo Alto’s Unit42 team meanwhile detected some instances of its resurrection in the United States, India, Thailand, Canada, and Japan.

“Recent reports of malspam pushing Shade ransomware have focused on distribution through Russian language emails. However, Shade decryption instructions have always included English as well as Russian text. The Shade ransomware executable (EXE) has been remarkably consistent. All EXE samples we have analyzed since 2016 use the same Tor address at cryptsen7f043rr6.onion as a decryptor page. The desktop background that appears during an infection has been the same since Shade was first reported as Troldesh in late 2014,” explained Brad Duncan, Unit 42’s Threat Intelligence Analyst.

The way Shade ransomware spreads are no different from any contemporary malware of our time. The sample Shade ransomware examined by Unit 42 was proliferating using spam emails. The strongest campaign for this ransomware infection was when there was a huge number of spam emails way back Feb 2019. These emails had an attached pdf or a compressed zip file, with the body of the email describing the attachment as a billing statement from the victim’s service provider.

The pdf or zip file attached aren’t normal files, but just a launcher for executing a malicious Javascript code that will download the actual Shade malware from the command and control servers. The payload itself has not seen any significant changes compared to the Shade variant that Kaspersky Labs first examined in 2014. Once the Shade payload is downloaded, it is executed automatically by the script contained in the zip/pdf file – this is when the encryption of files and generation of text-based warning notification occurs.

The wallpaper set by the user will be replaced by a black background with red text announcing the infection saying: “Attention! All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.”

Unlike the previous iteration of Shade ransomware, the newer variant has a direct destination, as the most number of infection cases are in the United States, it was previously wreaking havoc in India, Thailand and Japan’s Windows-based computers. There is also visible indications that certain sectors of specific geographical location are targeted, with victims usually from the telecommunications, wholesale/retail and education industries. Unit 42’s hypothesis points to non-Russian speaking countries as the most vulnerable of receiving spam emails carrying Shade malware.

Also, Read:

Beware of 10 Past Ransomware Attacks

Two Nasty No-Ransom “PewDiePie” Ransomwares, Trouble For Many

Georgia County Hit by Ransomware, Shells out $400,000


    Leave a Comment


    Welcome! Login in to your account

    Remember me Lost your password?

    Don't have account. Register

    Lost Password