Shade Ransomware [Updated]

Also Known As: Shade virus
Distribution: Low
Damage level: Severe

Shade ransomware removal instructions

What is Shade?

Shade is ransomware-type virus proliferated via malicious websites (exploit kits) and infected email attachments. After system infiltration, Shade encrypts most files stored on the infected machine. Furthermore, this application changes the desktop background and creates a .txt file, which states that the files are encrypted and that the email address provided must be used to receive instructions for decryption. It is also stated that users who try to decrypt these files manually will lose their data. This ransomware is mainly spread within Germany, Russia, and the Ukraine. The virus adds the .crypted000007, .no_more_ransom, .better_call_saul, .breaking bad, .heisenberg, .windows10, .7h9r, .xtbl.ytbl or .da_vinci_code extensions to encrypted files. Some variants of Shade ransomware demand that victims contact cyber criminals via email addresses provided: Lutovinova.Antonina@gmail.com, vladimirscherbinin1991@gmail.com, Novikov.Vavila@gmail.com, Denisieva.Ioannikiya@gmail.com, Lukyan.Sazonov26@gmail.com, VladimirScherbinin1991@gmail.com, Yvonne.Vancese1982@gmail.com, 7h9r341@gmail.com, GraceseYoumans1983@gmail.com, or drugvokrug727@india.com to regain control of their compromised data.

Shade ransomware virus

Shade employs the AES 256 encryption algorithm and, therefore, decrypting these files without the unique key (which is stored in the servers controlled by Shade's developers) is impossible. The command and control (C&C) servers used by the developers of Shade are located within the Tor online anonymity network. Unlike other file encryption ransomware (such as Crypt0L0cker, CryptoWall, and CTB-Locker), Shade installs a number of malware infections on the affected computer. These malware-type apps include Murex (adding malicious JavaScript files that cause unwanted browser redirects to various promoted sites or downloads of other malware), Kovter (a trojan that receives certain commands and sends PC-related information to the hacker), Zemot (this threat is able to download other malware), and CMSBrute (a trojan used to 'brute force' website passwords).

At time of research, there were no tools capable of removing Shade ransomware. Fortunately, however, shadow files remain untouched. Therefore, the best way to address this problem is to restore your system to a previous state. Never attempt to contact these cyber criminals. Ransomware-type applications usually demand ransom a payment in exchange for a decryption key, however, you can never be sure that your files will ever be decrypted. Paying the ransom is equivalent to sending your money to cyber criminals - you will simply support their malicious businesses. To avoid this type of infection, be cautious when entering suspicious websites, and especially when opening email attachments sent from unrecognized email addresses. In addition, use a legitimate anti-virus or anti-spyware suite and keep all of your installed software up-to-date.

Screenshot of the desktop following Shade ransomware file encryption:

shade ransomware victims desktop (files encrypted with .da_vinci_code extension)

Text presented on the desktop wallpaper added by Shade ransomware:

All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.

Readme.txt file (which contains a message encouraging users to contact the developers) created by Shade ransomware:

Shade ransomware creating text file with contact instructions

Text presented in the readme.txt file:

All the important files on your computer were encrypted. To decrypt the files your should send the following code: to email address [email protected] or [email protected] Then your will receive all necessary instructions. All the attempts of decrypting by yourself will result in irrevocable loss of your data.

Updated variant of this ransom demand message (README[1-10].txt):

 shade updated ransom demanding message readme.txt file

Text presented by the updated variant of Shade ransomware:

Baши файлы были зaшифрoваны.
Чmoбы pаcшuфроваmь иx, Bам необходимo оmправumь koд:
BE704DA87649B31EFB45|0
нa элеkтpoнный адрec robertamacdonald1994@gmail.com .
Далеe вы пoлучиmе вcе нeoбхoдимыe инcтpуkцuu.
Попытки раcшuфровaть самоcmоятельнo не пpивeдym ни k чeмy, крoмe безвозвpamной noтeри информaциu.
Eслu вы всё жe xoтите noпытаmьcя, mo nрeдвapительно cдeлайme peзервные konuu файлов, uнaче в случаe
иx uзмeнeнuя рacшифpoвka сmанem нeвoзможной ни nри kаkиx yслoвиях.
Еcлu вы не nолучuлu omвеmа no вышеуkазaннoмy aдpeсy в mеченuе 48 чacoв (и тoлько в этом cлучае!),
вocnoльзуйтeсь фoрмой обpатной cвязu. Эmо мoжно cдeлaть двyмя сnосoбaмu:
1) Cкачaйme u уcmaнoвиmе Tor Browser пo сcылке: https://www.torproject.org/download/download-easy.html.en
В aдрecнoй cтpoкe Tor Browser-a введuте адрec:
http://cryptsen7fo43rr6.onion/
и нажмиmе Enter. 3аrрузиmcя cmраницa с фоpмoй oбратной cвязu.
2) B любом брaузере nepeйдuте пo oдномy uз адреcoв:
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/


All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
BE704DA87649B31EFB45|0
to e-mail address robertamacdonald1994@gmail.com .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the feedback form. You can do it by two ways:
1) Download Tor Browser from here:
https://www.torproject.org/download/download-easy.html.en
Install it and type the following address into the address bar:
http://cryptsen7fo43rr6.onion/
Press Enter and then the page with feedback form will be loaded.
2) Go to the one of the following addresses in any browser:
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/

Screenshot of Shade ransomware website:

shade ransomware website

Text presented on this website:

Вы можете отправить сообщение через форму обратной связи: You can send the message using the following feedback form:
Ваш e-mail / Your e-mail: Мой код из Readme.txt (вида 0011223344556677AAFF|0): My code from Readme.txt (it looks like 0011223344556677AAFF|0):
Я потерял все Readme.txt либо не смог найти ни одного I lost all my Readme.txt files or did not find any of them Текст сообщения / The text of the message: Пожалуйста, введите текст с картинки: Please enter the text from the image: Отправить / Send Информация: на данный момент используется алгоритм шифрования RSA-3072. Он является одним из самых криптостойких методов, и данные, зашифрованные им, не могут быть расшифрованы без приватного ключа. Подробнее... Information: the current encryption algorithm is RSA-3072. It is one of the most cryptographically strong methods and the data encrypted by it can not be decrypted without the private key. More...

Update April 28, 2020 - Cyber criminals are shutting down the entire Shade (Troldesh) ransomware network, including all updated variants of this malware. They've also released all the decryption keys (over 750,000), as well as a decryption tool, so that victims could decrypt their data. The problem is that the released decryptor is rather complicated to use. For this reason, Kaspersky is planning to release an updated variant of their RakhniDecryptor (download link) which will support the Shade ransomware. Although at this current moment the exact ETA of the update is unknown, it is very likely to be in near future.

Shade ransomware removal:

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Malwarebytes is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Malwarebytes By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Go to the Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced Start-up options, in the opened "General PC Settings" window, select Advanced Start-up. Click the "Restart now" button. Your computer will now restart into "Advanced Start-up options menu". Click the "Troubleshoot" button, then click the "Advanced options" button. In the advanced option screen, click "Start-up settings". Click the "Restart" button. Your PC will restart into the Start-up Settings screen. Press "5" to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Login to the account infected with the Shade. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.


If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to Shade ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Shade ransomware files.

To restore individual files encrypted by this ransomware, try using the Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Shade are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by Shade, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encryption ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware (which artificially implant group policy objects into the registry to block rogue programs such as Shade).

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises these attempts without need for user-intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users'' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove Shade ransomware:

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
Shade virus QR code
A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of Shade virus on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

▼ REMOVE IT NOW
Download Malwarebytes

Platform: Windows

Editors' Rating for Malwarebytes:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.