Skip to content ↓ | Skip to navigation ↓

The operators of Shade ransomware published the decryption keys for 750,000 of their victims in an effort to help them recover their data.

The authors of Shade used a GitHub post to make decryption keys available to all of its remaining victims (approximately 750,000). They also used the posting to provide a bit of context about their decision:

We are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all). We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.

An ID Ransomware submission confirming a drop in activity for Shade ransomware at the end of 2019. (Source: Bleeping Computer)

The post went on to provide a series of instructions on how victims can use the decryption keys to recover their encrypted information. Along the way, Shade’s handlers noted that the decryption keys they had released bore certain similarities with the encryptors they had used to scramble users’ data in the first place. They therefore explained that they had used the password “123454321” to protect all of the executable files for the purpose of preventing AV software from automatically flagging them as malicious.

The ransomware’s authors also explained that those who were experiencing difficulties in using the decryption keys to recover their files could wait for security firms to develop more user-friendly software.

Those efforts might already be in the works. Kaspersky Principal Security Researcher Sergey Golovanov told Bleeping Computer that the Russian security firm intends to incorporate Shade’s decryption keys into its RakhniDecryptor ransomware decryption tool so that victims can restore their data more easily. That being said, a timeline of when this solution would be released was not available at the time of writing.

It wasn’t immediately clear from their posting what compelled Shade ransomware’s authors to release their decryption keys.

Notwithstanding the development above, plenty of other ransomware families continue to prey upon organizations and users alike. That’s why organizations need to take the proper steps to defend against a ransomware attack. One of the ways they can do this is by working to prevent a ransomware infection in the first place using these steps.