Shade Ransomware, also known as Troldesh

blog_ransomware

During the first half of 2019, the Shade Ransomware (also known as Troldesh) was the most actively distributed malware via malicious email phishing campaigns according to Singapore-based Group-IB security outfit.

Out of all malspam emails detected and examined by Group-IB’s Computer Emergency Response Team (CERT-GIB), Shade Ransomware was the main malware strain used by attackers to infect their targets’ computers in H1 2019.

“Currently, three of the most widespread tools used in attacks tracked by Group-IB’s Computer Emergency Response Team have been Troldesh (53%), RTM (17%) and Pony Formgrabber (6%),” the researchers claim.

During the first half of 2019, the Shade Ransomware (also known as Troldesh) was the most actively distributed malware via malicious email phishing campaigns according to Singapore-based Group-IB security outfit.

Out of all malspam emails detected and examined, Shade Ransomware was the main malware strain used by attackers to infect their targets’ computers in H1 2019.

“Currently, three of the most widespread tools used in attacks tracked by Group-IB’s Computer Emergency Response Team have been Troldesh (53%), RTM (17%) and Pony Formgrabber (6%),” the researchers claim.

Shade Ransomware is a strain sold or rented on various crimeware markets and a ransomware known for using constantly changing Tor command-and-control (C2) servers that make it harder to block.

While not necessarily new on the malware scene, is constantly upgraded with new features and capabilities which keeps the demand up and its creators busy updating it.

Luckily, two Shade Ransomware decryptor tools created by Kaspersky Lab and Intel Security are available on the No More Ransom website, although it’s important to mention that they only work for some older variants.

“Recent campaigns with Troldesh have shown that now it not only encrypts files, but also cryptocurrency mine and generates traffic to websites to increase traffic and revenue from online advertising,” as Group-IB researchers also said at the time.

The Shade Ransomware increase in activity from June was also confirmed by researchers at Avast.

They stated that the campaign they monitored predominantly targeted Mexico and Russia, with potential victims from the UK and Germany also being heavily targeted.

Malwarebytes researchers also spotted an activity spike during February 2019, reporting a “sharp increase in detections from Q4 2018 to Q1 2019” as part of “of an active, successful campaign.”

“What sets Troldesh apart from other ransomware variants is the huge number of readme#.txt files with the ransom note dropped on the affected system, and the contact by email with the threat actor,” Malwarebytes Labs said.

“Otherwise, it employs a classic attack vector that relies heavily on tricking uninformed victims. Nevertheless, it has been quite successful in the past, and in its current wave of attacks,” the researchers concluded.