The main operator behind this Shade ransomware has suddenly stopped its operation at the end of 2019; not only this, even after shutting down the Shade ransomware the operator behind this ransomware has also released nearly 750k decryption keys.
The Shade, Troldesh, or Encoder.858 is generally a trojan-encryptor which is a ransomware, and according to the reports, it is speculated to be of Russian origin, that has been around since 2014.
While the most interesting thing in this incident is the “apology,” yes, the hackers or the operator behind this ransomware has also apologized to all the victims who got affected by this ransomware.
As we told earlier that this type of ransomware are occurring since 2014, and therefore, a security analyst from the Kaspersky Lab has reinforced the legality of the keys that are leaked and are now working to develop a free decryption tool.
Well, the operators of the Shade Ransomware have clearly stated that they have a specific reason for releasing this decryption tool, but they did not disclose the reason for doing so.
But, the security community is really shocked, as the operator of the Shade ransomware is one of the oldest and best ransomware forces. As we said before in this article that the first ransomware was spotted in 2014, and since then it has been operating continuously, till it got closed last year in the end of 2019.
The decryption keys that are released will surely help each user who had data encrypted by the Shade ransomware. And these key has an account of all version of the ransomware and all the users who got infected.
Steps to Decrypt All Your Encrypted Files:-
- During the decryption process, it is strongly recommended that you should close all the programs running on your computer or PC and stop performing any other actions as well. Now, if you have the ID of your computer, then it’s okay, or else, you have to find the ID of your computer, which will be a 20-symbol chain comprising the upper-case letters and digits (Example: AABBCCDDEEFF00112233).
- If you don’t have your computer’s ID, then simply you have to download and execute /bin/getid.exe program, to get the ID of your computer. Now, after this, you will have to find the README.txt files on your computer and root folders of all drives, where your computer ID is saved.
(Note: It may happen that the ID was also appended just after the file’s name in the latter versions of this ransomware.)
- Now, if the code that you find from the README.txt file contains zero after the vertical bar, then simply you have to enter /keys/<dir>/dynamic/<letter>/ folder where the <letter> will be the first symbol of your code. Now you will find the /keys/alt/dynamic/ folder carries all the files unitedly without the division by codes’ first letters.
- After that now you have to find the .txt file that contains your ID and download it. Then you have to create a folder on your PC (c:\decrypt\ in the further instructions); after that, simply download the /bin/decrypt.exe file and save it here in this folder.
- Then after the above step, now you have to move the file that contains the key and simply place it in this directory with the name “key.txt.” Now you have to run the “decrypt.exe” file on your computer simply to decrypt all your encrypted data.
But be alert, as using all these keys are not very reliable, and most of the users encounter difficulty while operating it. But the decryption keys that have been released recently have some rules which were not straight, as you could see from the above steps, that’s why victims may face difficulty getting it to work correctly.
Moreover, Sergey Golovanov from Kaspersky has stated that said that the key is working and soon they will update their RakhniDecryptor, in which they will put all these keys so that victims could easily recover their files for free of cost.
You can also read the complete ransomware mitigation checklist
So, what do you think about this? Simply share all your views and thoughts in the comment section below.