Shade ransomware decryptor released with 750,000 keys

After six years of steady attacks, the operators behind Shade ransomware took to GitHub this week to announce they had shut down, issued an apology to their victims and relinquished approximately 750,000 decryption keys in their possession.

On Thursday, Kaspersky Lab released an updated decryptor app that includes the newly-released keys and can unlock victims' files for all versions of the Shade ransomware. Kaspersky researchers had previously developed a decryptor for older versions of Shade.

Shade, also known as Troldesh, was one of several early variants that drove the ransomware boom during the mid-2010s. First identified in 2014, Shade ransomware appeared to target predominantly European countries, including the U.K. Although the shutdown statement was made on April 26, Shade operators said they had actually stopped distribution at the end of 2019.

"All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed," the group said in its statement on GitHub. "We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data."

Also posted to the GitHub repository was instructions on how to recover files using the released keys, though Shade operators said they hoped that "antivirus companies will issue their own more user-friendly decryption tools." Three days later, Kaspersky released its updated decryptor app for Shade.

Kaspersky senior security researcher Jornt van der Wiel said the release of decryptors are obviously only helpful for the victims who kept their encrypted files. "For the ones who deleted their files, or paid, this is not very helpful. We do know of cases where people found decryptors three years after their release. They kept their encrypted files and were still able to decrypt all their files without paying," Wiel said.

Shade operators are not the first ransomware gang to issue an apology or release decryption keys. For example, in 2016 the TeslaCrypt ransomware variant was shut down unexpectedly and the decryption master key was released to the public, allowing anyone affected to recover data. An ESET researcher reached out to the team behind TeslaCrypt and asked for the private key used by the ransomware. Someone behind TeslaCrypt told ESET the ransomware effort was closed, provided the TeslaCrypt master key and even said, "We are sorry."

Three years later, the authors behind one of the most widespread ransomware threats, GandCrab ransomware as a service, announced that group would be shut down. Citing "retirement" as their reason, the group promised to delete the decryption keys. Luckily for the victims who would have had little recourse to recover encrypted data, Bitdefender and law enforcement from around the world released an updated GandCrab decryption tool through the No More Ransom Project, which was cofounded by Kaspersky and McAfee.

Though there are many possibilities, Wiel said it's hard to decipher the real motivation when ransomware operators have a sudden change of heart and shut down their operation. "Keys can be stolen by a rival gang who put the message on GitHub, or it can be the real authors," Wiel said. "We will never know until the law enforcement makes some arrests."

Regardless of the motivations, anything that results in victims not paying criminals for their data is a win, said chief scientist and McAfee fellow Raj Samani. "Whether that is because No More Ransom had a decryptor or the criminals showed remorse, we have to disrupt the flow of revenue for ransomware operators to be successful," he said.