Shade Ransomware [Updated]

Also Known As: Shade virus
Distribution: Low
Damage level: Severe

Shade ransomware removal instructions

What is Shade?

Shade is ransomware-type virus proliferated via malicious websites (exploit kits) and infected email attachments. After system infiltration, Shade encrypts most files stored on the infected machine. Furthermore, this application changes the desktop background and creates a .txt file, which states that the files are encrypted and that the email address provided must be used to receive instructions for decryption. It is also stated that users who try to decrypt these files manually will lose their data. This ransomware is mainly spread within Germany, Russia, and the Ukraine. The virus adds the .crypted000007, .no_more_ransom, .better_call_saul, .breaking bad, .heisenberg, .windows10, .7h9r, .xtbl.ytbl or .da_vinci_code extensions to encrypted files. Some variants of Shade ransomware demand that victims contact cyber criminals via email addresses provided:,,,,,,,,, or to regain control of their compromised data.

Shade ransomware virus

Shade employs the AES 256 encryption algorithm and, therefore, decrypting these files without the unique key (which is stored in the servers controlled by Shade's developers) is impossible. The command and control (C&C) servers used by the developers of Shade are located within the Tor online anonymity network. Unlike other file encryption ransomware (such as Crypt0L0cker, CryptoWall, and CTB-Locker), Shade installs a number of malware infections on the affected computer. These malware-type apps include Murex (adding malicious JavaScript files that cause unwanted browser redirects to various promoted sites or downloads of other malware), Kovter (a trojan that receives certain commands and sends PC-related information to the hacker), Zemot (this threat is able to download other malware), and CMSBrute (a trojan used to 'brute force' website passwords).

At time of research, there were no tools capable of removing Shade ransomware. Fortunately, however, shadow files remain untouched. Therefore, the best way to address this problem is to restore your system to a previous state. Never attempt to contact these cyber criminals. Ransomware-type applications usually demand ransom a payment in exchange for a decryption key, however, you can never be sure that your files will ever be decrypted. Paying the ransom is equivalent to sending your money to cyber criminals - you will simply support their malicious businesses. To avoid this type of infection, be cautious when entering suspicious websites, and especially when opening email attachments sent from unrecognized email addresses. In addition, use a legitimate anti-virus or anti-spyware suite and keep all of your installed software up-to-date.

Screenshot of the desktop following Shade ransomware file encryption:

shade ransomware victims desktop (files encrypted with .da_vinci_code extension)

Text presented on the desktop wallpaper added by Shade ransomware:

All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.

Readme.txt file (which contains a message encouraging users to contact the developers) created by Shade ransomware:

Shade ransomware creating text file with contact instructions

Text presented in the readme.txt file:

All the important files on your computer were encrypted. To decrypt the files your should send the following code: to email address [email protected] or [email protected] Then your will receive all necessary instructions. All the attempts of decrypting by yourself will result in irrevocable loss of your data.

Updated variant of this ransom demand message (README[1-10].txt):

 shade updated ransom demanding message readme.txt file

Text presented by the updated variant of Shade ransomware:

Baши файлы были зaшифрoваны.
Чmoбы pаcшuфроваmь иx, Bам необходимo оmправumь koд:
нa элеkтpoнный адрec .
Далеe вы пoлучиmе вcе нeoбхoдимыe инcтpуkцuu.
Попытки раcшuфровaть самоcmоятельнo не пpивeдym ни k чeмy, крoмe безвозвpamной noтeри информaциu.
Eслu вы всё жe xoтите noпытаmьcя, mo nрeдвapительно cдeлайme peзервные konuu файлов, uнaче в случаe
иx uзмeнeнuя рacшифpoвka сmанem нeвoзможной ни nри kаkиx yслoвиях.
Еcлu вы не nолучuлu omвеmа no вышеуkазaннoмy aдpeсy в mеченuе 48 чacoв (и тoлько в этом cлучае!),
вocnoльзуйтeсь фoрмой обpатной cвязu. Эmо мoжно cдeлaть двyмя сnосoбaмu:
1) Cкачaйme u уcmaнoвиmе Tor Browser пo сcылке:
В aдрecнoй cтpoкe Tor Browser-a введuте адрec:
и нажмиmе Enter. 3аrрузиmcя cmраницa с фоpмoй oбратной cвязu.
2) B любом брaузере nepeйдuте пo oдномy uз адреcoв:

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
to e-mail address .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the feedback form. You can do it by two ways:
1) Download Tor Browser from here:
Install it and type the following address into the address bar:
Press Enter and then the page with feedback form will be loaded.
2) Go to the one of the following addresses in any browser:

Screenshot of Shade ransomware website:

shade ransomware website

Text presented on this website:

Вы можете отправить сообщение через форму обратной связи: You can send the message using the following feedback form:
Ваш e-mail / Your e-mail: Мой код из Readme.txt (вида 0011223344556677AAFF|0): My code from Readme.txt (it looks like 0011223344556677AAFF|0):
Я потерял все Readme.txt либо не смог найти ни одного I lost all my Readme.txt files or did not find any of them Текст сообщения / The text of the message: Пожалуйста, введите текст с картинки: Please enter the text from the image: Отправить / Send Информация: на данный момент используется алгоритм шифрования RSA-3072. Он является одним из самых криптостойких методов, и данные, зашифрованные им, не могут быть расшифрованы без приватного ключа. Подробнее... Information: the current encryption algorithm is RSA-3072. It is one of the most cryptographically strong methods and the data encrypted by it can not be decrypted without the private key. More...

Shade ransomware removal:

Instant automatic removal of Shade virus: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of Shade virus. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Go to the Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced Start-up options, in the opened "General PC Settings" window, select Advanced Start-up. Click the "Restart now" button. Your computer will now restart into "Advanced Start-up options menu". Click the "Troubleshoot" button, then click the "Advanced options" button. In the advanced option screen, click "Start-up settings". Click the "Restart" button. Your PC will restart into the Start-up Settings screen. Press "5" to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Login to the account infected with the Shade. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to Shade ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Shade ransomware files.

To restore individual files encrypted by this ransomware, try using the Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Shade are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by Shade, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encryption ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware (which artificially implant group policy objects into the registry to block rogue programs such as Shade).

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises these attempts without need for user-intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users'' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove Shade ransomware: