Malware, Threat Management

‘Black Shades’ ransomware taunts researchers in its source code

An independent security researcher who goes simply by the name Jack recently discovered a ransomware called “Black Shades,” which not only encrypts files but also taunts security researchers.

There are multiple obfuscated strings of source code within the ransomware which contain taunting messages for researchers who are analyzing the malware, according to Bleeping Computer. One of the codes said “YoxcnnotcrackthisAlgorithmynare>idiot<” which is meant to read “You cannot crack this algorithm … idiot” and another code written in Russian translated to “you cannot hack me, I am very hard.”

Researchers at the MalwareHunterTeam think the ransomware may be distributed through fake videos, fake cracks, or fake patches, Bleeping Computer said.  

Though he hasn't witnessed the attack in the wild, Jack told SCMagazine.com via emailed comments the ransomware is likely being distributed via rogue installs from file sharing websites and potentially as fake updates.

“Some samples I have observed were dropped from a keygen “tool” that actually downloaded the SilentShade / BlackShades binary,” he said. “That is an interesting distribution method because many people will bypass AV for downloaded keygen or cracked programs since they usually are detected as “hack tools” or something similar.”

Jack said the he thinks the use of the “Black Shades” branding is interesting and is due to either a lack of creativity or out of a social engineering tactic to coerce victims to pay.

“If they were to google 'Black Shades,' for example, the first result is from the FBI, which may add 'legitimacy' to what the victim is seeing,” Jack said.

Once infected, the malware will only encrypt certain commonly used C drive folders such as the “Downloads,” “Documents,” and “Desktop” folders using AES-256 encryption and will also drop a file in each folder called YourID.txt, which contains the unique victim ID, according to the report. On other drives the malware will encrypt every folder it scans.

When it is done encrypting the ransomware will display a ransom note which displays itself every time the user logs into the computer and instructs the user to how to pay the $30 ransom in Bitcoin or on Paypal. Researchers at Bleeping Computer noted the use of the Paypal option is strange because the payment platform is easily traceable.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.