Shade (Troldesh) Ransomware Operators Shut Down Threat, Release 750K Decryption Keys

The group behind the Shade (Troldesh) ransomware has officially stopped its distribution and, as a sign of goodwill, released 750 thousand decryption keys, apologizing for the trouble they caused their victims.

The Shade ransomware had been running wild for quite some time, with operations commencing as early as 2014. Unlike many other ransomware projects that avoid encrypting targets in Russia and other CIS countries, Shade predominantly targeted victims in Ukraine and Russia.

Security researchers first noted a decrease in the distribution of Shade at the end of 2019, and a recent post by the ransomware's operators on GitHub revealed why that is so.

"We are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousand at all). We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data." read the GitHub post.

Shade Operators Apologetic for Past Actions

Apart from the 750 thousand keys, the published repository contains five master decryption keys, a link to the threat actors' decryption program, and instructions on how to use them. The decryptor, however, isn't that straightforward to use, and people might want to wait for the No More Ransom project to release their user-friendly version.

And while the operators of Shade apologized to their victims, we still don't know why they decided to shut down the ransomware. One of the theories is that their conscience caught up, considering the apology. Their move, however, is beneficial only to those that didn't pay the ransom in the first place.

Another reason could be that someone managed to breach the Shade key vault, and the threat actors were forced to publish the keys on their own, but there is no concrete threat intelligence that can confirm that.

The likeliest theory is that Shade's profitability had simply peaked, and the ransomware had not performed as expected once its operators decided to use it on targets outside of Russia in February 2019. After the initial spike of infections, Shade submissions gradually faded and returned to normal levels. This might have been enough reason for the threat actors behind it to move to another project after five years of significant activity.

The decryption keys that were released will prove useful to anyone who wasn't able to decrypt his files with the several apps that were released from different security researchers but worked on a limited amount of Shade versions. The condition is that users must still have access to their encrypted files. Saving encrypted files on offline storage until a decryptor is released is always recommended, especially when dealing with valuable data.

Shade (Troldesh) Ransomware Operators Shut Down Threat, Release 750K Decryption Keys Screenshots