Recently the Shade gang announced that it would be ending all operations. This draws to a close one of the longest-running ransomware strains activity. Since 2014 the gang has been active with campaigns being conducted at a fairly constant rate since security researchers detected the variant encrypting victim’s data. Shade activity essentially fell off a cliff in late 2019 but recent announcements made by the gang can be seen as the final nail in the variants coffin.
The gang took to GitHub to make the announcement which read as follows,
“We are the team which created a trojan-encryptor mostly known as Shade, Troldesh, or Encoder.858. In fact, we stopped its distribution at the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all). We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.”
As the above message confirmed the gang released some 750,000 decryption keys in an act of good faith to help victims recover encrypted data. The authenticity of the decryption keys was later verified by Kaspersky Labs researcher Sergey Golovanov. The security firm is now working on a decryption tool which would make the decryption process far easier.
As to a release date for the tool, nothing has been announced but it can be expected in the near future. Researchers from Kaspersky Labs have a certain amount of experience dealing with Shade as they released several decryption tools, the last being in 2017 but did receive an update in October 2019. As to the exact reasons for the gang to throw in the towel a number of theories are floating around but no hard evidence has come to light for researchers to say for sure.
While the release of the decryption keys can be seen as an act of good faith it does come with a number of caveats. It is true that the release of the keys will help certain victims, the victims will need to still have access to data encrypted by the ransomware. When victims look to recover from a ransomware attack they will usually opt to perform a full system re-install more often than not resulting in the deletion of encrypted files. The release of the decryption will assist researchers at Kaspersky to create a decryptor that much is granted.
With the gang ceasing operations, another chapter in ransomware’s saga comes to an end. Much in the same way when GandCrab ceased operations in the middle of 2019, many lessons can be learned as to how these gangs operate, hopefully drawing back the curtain somewhat on operations still largely in the dark. As mentioned above Shade’s story began in 2014 and has been active constantly throughout its lifecycle. It was distributed via both spam email campaigns and exploit kits. While it was constantly active it was not a perfect strain of ransomware by any means as this can be seen by the multiple decryption programs developed by Kaspersky and other security firms. It is important to note that the decryptors would only work on a small number of cases however, proving that the code used by the gang was good enough to turn a profit.
When looking at Shade’s past two campaigns deserve special mention. The first, discovered by Avast took place in June 2019. The security firm was able to block 100,000 instances of the ransomware, tracked as Troldesh by the security firm, from executing. It can be assumed that far more attempts at encrypting data were carried out than just those detected by Avast. The campaign targeted individuals in the US, UK, and Germany but by far the most detections occurred in Russia and Mexico. It was noted by Avast that the ransomware had been spread predominantly via spam emails, instances of the malware were seen been distributed via social media and other messaging platforms. Researchers further noted,
“We see a spike in the number of its attacks that is probably more to do with Troldesh operators trying to push this strain harder and more effectively than any kind of significant code update. Troldesh has been spreading in the wild for years with thousands of victims with ransomed files and it will probably stay prevalent for some time.”
Given the global scope of the above-mentioned campaign, it would have been nearly impossible for researchers to predict that activity would drop off so suddenly merely six months later. The second campaign was analyzed by MalwareBytes detailing a spike in detections that started towards the end of 2018 and ran through till half of Q1 of 2019. The spike in activity happened when a lot of ransomware gangs appeared to be slowing distribution in favor of distributing other malware such as coin miners.
“Victims of Troldesh are provided with a unique code, an email address, and a URL to an onion address. They are asked to contact the email address mentioning their code or go to the onion site for further instructions. It is not recommended to pay the ransom authors, as you will be financing their next wave of attacks. What sets Troldesh apart from other ransomware variants is the huge number of readme#.txt files with the ransom note dropped on the affected system, and the contact by email with the threat actor. Otherwise, it employs a classic attack vector that relies heavily on tricking uninformed victims. Nevertheless, it has been quite successful in the past, and in its current wave of attacks. The free decryptors that are available only work on a few of the older variants, so victims will likely have to rely on backups or roll-back features.”
Don’t let your Guard Down
While one gang has decided to cease all operations now is not the time to let one’s guard down. For many ransomware operators, it is business as usual. For some, they have been increasingly targeting hospitals despite pleas from health departments, law enforcement, and security firms not to target essential services already strained due to the COVID-19 pandemic. Earlier in the year, certain gangs started threatening to and releasing stolen data if the ransom is not paid in a timeous fashion. This trend appears now to have become a favored tactic as it opens up new revenue streams for the attacker in that data stolen can be sold on to other cybercriminals.
Microsoft’s Threat Protection Intelligence team has issued another warning, this time warning victims that even if the attackers have not threatened to release data publically it does not mean they have not stolen it. Further, it was stated that,
“Multiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.”
In order to defend against falling victim to ransomware gangs, in particular human-operated ransomware gangs, Microsoft advises network admins to scour networks for malicious PowerShell, Cobalt Strike, and other penetration-testing tools that may look like red team activities. They should also look for suspicious access to Local Security Authority Subsystem Service (LSASS) and suspicious registry modification, as well as evidence of tampering with security event logs. This advice comes as many of gangs have been seen targeting the following vulnerabilities:
- RDP or Virtual Desktop endpoints without Multi-factor authentication
- Citrix ADC systems affected by CVE-2019-19781
- Pulse Secure VPN systems affected by CVE-2019-11510
- Microsoft SharePoint servers affected by CVE-2019-0604
- Microsoft Exchange servers affected by CVE-2020-0688
- Zoho ManageEngine systems affected by CVE-2020-10189