The operatives behind Shade Ransomware shut down its operation, released 750,000 decryption keys and an apology to its victims.
In a surprise decision, the team behind the dreaded Shade Ransomware decided to pull the plug of the operation. Not only that, but the team also released more than 750,000 decryption keys, and rendered an apology to their victims.
The Shade Ransomware started its operation around 2014. Many ransomware do not target Russia and other CIS countries. What separates Shade Ransomware from the rest is that it explicitly targets those who are from Russia and Ukraine.
ID Ransomware creator Michael Gillespie said that reports of attacks related to Shade Ransomware has been regular over the span of its operation. Gillespie added that he noticed a decline of reports sometime around the end of 2019.
The ultimate cause of the decreased reports was released this weekend. Shade Ransomware operatives created a GitHub repository and said that distribution of the ransomware was ceased at the end of 2019.
The statement also included an apology to the harm that the ransomware have brought to their victims. The operatives also provided decryption keys and instructions on how to recover encrypted files.
The keys, instructions, and apology are also posted on the team’s GitHub repository. Part of their statement reads:
“All other data related to our activity (including the source codes of the Trojan) was irrevocably destroyed. We apologize to all the victims of the Trojan and hope that the keys we published will help them to recover their data.”
Also included in the repository are five master decryption keys and a link to download a decryption program. Kaspersky Lab analyst Sergey Golovanov confirmed that the keys are valid and can be used to decrypt an infected computer.
What is ransomware
Ransomwares are malicious programs that encrypts a user’s data and hold it as a hostage. Some ransomware also block users from accessing their system. Ransomware, as the name suggests, requires the victim to pay a ransom for them to be able to decrypt their data.
— IronTech Security (@IronTechSec) April 21, 2020
Ransomwares are often spread through emails and drive-by downloads. Drive-by downloads occur when a user unknowingly accesses an infected website.
Some Ransomware can be destroyed by simply reformatting an infected machine. However, once user data is encrypted it cannot be undone unless a decryption key is provided. Some data experts can recover an encrypted data by using specialized decryption tools.
Image courtesy of Michael Geiger/Unsplash