Shade Ransomware Taken Down

In response to the news that a joint operation by Europol, the Dutch National High Tech Crime Unit, Intel, and Kaspersky has seized the command and control servers for the Shade ransomware strain and published code that allows anyone hit by the malware to decrypt their files. Mark James, security specialist at ESET commented below.

Mark James, Security Specialist at ESET:

Now that the C&C servers have been seized will this likely be the end of Shade?

“One of the biggest problems with malware these days is its ability to be modified in ways that may affect the outcome of its behaviour so that it almost takes on the guise of an entirely different program. These strains or variants may temporarily defeat malware detection routines that may have been very effective in detecting the original strain. Often we find that successful malware will sometimes go into a dormant stage when it is stopped or believed to be wiped out, only for it to rear its ugly head at a later time, modified and ready to start its devastation again, although not always successful.”

What made Shade such a nasty piece of ransomware?

“Typical ransomware will often have a single goal, to encrypt your data and hold you to ransom. Once this is done its job is over. Shade is actually a little different, even after doing its dirty dead it will attempt to retrieve a list of websites that are serving malware, contact them and download more malware to do other nasty things. This may include programs for stealing passwords, or other very sensitive data being held or accessed on your machines.”

Why has it taken so long for the ransomware to be stopped, particularly when decryption tools for Bart and CryptXXX were released only weeks after the ransomware variants were first discovered?

“Because the actual malware itself can change and mutate the only real effective way of dealing with it is by locating and stopping its source for getting keys to encrypt your data. If this is done in its entirety then creating a program to generate the correct decryption key is a whole lot easier. Malware is designed to be stealthy it wants to stay undetected, many methods will be applied to make tracking and or locating the original C&C servers as difficult as possible, that’s without even considering where the server may be located which may cause a completely different set of obstacles.”