Computer Security Shade Ransomware Takes Aim at International Targets

Shade Ransomware Takes Aim at International Targets

shade ransomware international targetsThe Shade ransomware, also known as Troldesh, is a strain of malware that was first spotted by security researchers back in early 2014. After being used against Russian victims in localized campaigns, Shade has recently been spotted in a growing number of attacks against victims located across the globe, from Japan to the USA.

Security researchers with Palo Alto Networks recently published their findings of Shade infections and the majority of those were now happening outside of Russia. Affected countries include Japan, Thailand, India, Canada and the USA. Shade is not being used to target private users, as most ransomwares these days, but industries and corporate entities instead, with Palo Alto singling out high-tech companies, wholesale companies and educational institutions as the prime targets in those new international attacks. Russia is still among the top 10 countries where Shade is used but has dropped to the number seven spot.

New victims, familiar attack vectors

Shade is still being distributed using spam emails. The executable of the ransomware is still showing the same desktop image on infected machines that it showed back in 2014, Palo Alto reports. Victims of the Shade ransomware have their desktop image changed with a warning note in both Russian and English, and ten plain text files are dumped on the desktop, named README1.txt to README10.txt. The contents of all text files are the same - Shade's ransom note. The extension used by the most current versions of the Shade ransomware is ".crypted000007".

Shade was used in international spam campaigns in February 2019. The emails usually included a link to an innocent-looking file that contains JavaScript instructions that, in turn, download the real payload. The top 3 countries where Shade was most commonly used by bad actors in 2019 were the United States, Japan and India. Predictably, Shade was primarily targeting high-tech companies, where the expected ransom payments are also the highest. Whether this trend of pushing a previously Russian-oriented ransomware to victims all over the world continues remains to be seen.