Threat Database Ransomware Shadow Ransomware

Shadow Ransomware

By CagedTech in Ransomware

The Shadow Ransomware is an encryption ransomware Trojan that also is known as the ShadowBTC Ransomware. The Shadow Ransomware was first observed on December 4, 2017, and carries out a typical encryption ransomware attack. These attacks are designed to take the victim's files hostage, demanding the payment of a ransom in exchange for the kidnapped files. To do this, the Shadow Ransomware uses a strong encryption algorithm to encrypt the victim's files, making them inaccessible to those without the decryption key, which the cybercrooks hold in their possession.

The Shadow Ransomware can Compromise Numerous File Types

The Shadow Ransomware may enter a computer after the victim opens a corrupted spam email attachment. These email attachments tend to take the form of Microsoft Word files with enabled macro scripts that download and install the Shadow Ransomware onto the victim's computer. The Shadow Ransomware, once installed, will search the victim's computer for the user-generated files to encrypt by its attack. Some of the file types that may be taken hostage by threats like the Shadow Ransomware include:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The Shadow Ransomware uses the AES 256 encryption to make the victim's files inaccessible. The Shadow Ransomware also will rename affected files, adding the following string to the affected file's name as an extension:

'.[email]-id-[random chars].shadow'

The Shadow Ransomware’s Ransom Demands

The Shadow Ransomware's ransom note pops up in a new window. The file associated with the data locker's note is called '!ENCRYPTED-README.hta.' In the ransom message, the attackers state that the ransom fee depends on how quickly the victim contacts them. However, they make it clear that the payment would be demanded in Bitcoin. The creators of the !Shadow Ransomware claim that they would decrypt three files free of charge as proof that they are able to reverse the damage done to the user's data. There is an email address provided by the attackers as a means of getting in touch with them – ‘RDPrecovery1@protonmail.com and RDPone@cock.li.' The Shadow Ransomware's ransom note has the following content:

'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paydayz@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc).
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

Computer users that refrain from following the instructions in the Shadow Ransomware's ransom note or paying the ransom are making the right decision. Instead, it is advised to take preventive measures. The best prevention, in the case of the Shadow Ransomware, is to have file backups on the cloud or on a place that the threat can't reach. Having backup copies of files means that computer users can restore the affected files from the backup after a Shadow Ransomware infection.

SpyHunter Detects & Remove Shadow Ransomware

File System Details

Shadow Ransomware may create the following file(s):
# File Name MD5 Detections
1. file.exe 7ebaf3d901057510c9582cab9729ad54 0

Related Posts

Trending

Most Viewed

Loading...