The malicious actors behind Shade ransomware made an unusual announcement on GitHub, not only publishing all 750,000 decryptor keys for the malware but apologizing for their criminal actions.
“We are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019.” the operators purportedly posted. “All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.”
Each key decryptor likely represents one attack making Shade particularly virulent during its time. The group gave no reason for its sudden change of heart and Shahrokh Shahidzadeh, CEO at Acceptto, said the reasoning doesn’t matter.
“Net-net this is a great win for the good guys. No matter what the motives of the operators of the Shade (Troldesh) ransomware, we will take it,” he told SC Media. “While this might mean that they are out of the game for good, it’s not the first time that a group of attackers has torn down their infrastructure and gone dormant only to resurface later using different infrastructures and the same set of tools.”
In addition to supplying the keys the group posted detailed instructions along with a note that if a victim still has problems decrypting their files to wait for the security companies to post tools to better utilize the information provide. It was also noted that some of the published software is detected by some antiviruses because it uses common code blocks with the encryptor. To avoid the deletion of them all the .exe files were zipped by the gang with the same password: 123454321.
“I also noticed that they have posted decryption tools on their repositories. Given their past history, my advice is not to use those tools as it is a risk that most organizations and individuals should not take,” Shahidzadeh said. “Instead, I recommend waiting until trusted actors ,such as AV companies, produce a decryption tool.”
Shade was heavily used from about January 2019 through November 2019 with attacks trailing off starting in January 2020, which would support the gang’s claim that it halted distribution late last year.
Whether or not Shade is stepping aside remains to be see. The Gandcrab ransomware gang posted a retirement notice in June 2019 but recent reports have the threat actors re-emerging under the Sodinokibi moniker.
More recently the cyber actors behind the Nemty ransomware-as-a-service operation are reportedly folding up shop as they concentrate their efforts on a newly launched malicious encryptor.
The decision to shut down Nemty could leave some individuals in a lurch. As of April 14, the cybercriminals are giving victims one week to pay their ransom and receive a decryption key before Nemty’s payment infrastructure is supposedly dismantled. This ticking clock could coerce some panicked victims to hastily pay up.