The group behind the Shade ransomware has closed up shop
and distributed around 750,000 decryption keys, along with decryption software,
apologizing to everyone that was affected by their malware.
There are numerous types of ransomware in use today, and
Shade was one of them for more than half a decade. Also known under the name of
Troldesh, it’s been around since around 2014, and was mainly deployed in
Russia, the United States, Japan, parts of Europe, Canada, and a few other
Shade activity was a constant in the past few years, but
it slowed down by the end of 2019. The reason for the supposed shutdown is
unclear or whether it was genuine. It wouldn’t be the first time when a group
shuts down an operation, only to open up another one, under a different name.
The large collection of decryption keys was posted on
GitHub, along with a message. “We stopped its distribution in the end of 2019,”
“Now we made a decision to put the last point in this
story and to publish all the decryption keys we have (over 750 thousands at
all). We are also publishing our decryption soft; we also hope that, having the
keys, antivirus companies will issue their own more user-friendly decryption
They also claim to have destroyed the malware’s source
code and apologized to everyone that was affected by their trojan. While it
might seem like a nice sentiment, let’s not forget that their malware caused
immense losses to numerous industries and people for a long time.
Publishing the decryption software is good news as it
makes it easier for affected parties to recover lost data, and for security
companies to provide more robust solutions.
Despite the supposed retirement of Shade, there are still
numerous other active groups right now, such as Sodinokibi or Maze, and that
have changed their modus operandi to include blackmail with stolen data.