The operators of Shade ransomware published the decryption keys for 750,000 of their victims in an effort to help them recover their data.

The authors of Shade used a GitHub post to make decryption keys available to all of its remaining victims (approximately 750,000). They also used the posting to provide a bit of context about their decision:

We are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all). We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.

An ID Ransomware submission confirming a drop in activity for Shade ransomware at the end of 2019. (Source: Bleeping Computer)

The post went on to provide a series of instructions on how victims can use the decryption keys to recover their encrypted information. Along the way, Shade’s handlers noted that the decryption keys they had released bore certain similarities with the encryptors they had used to scramble users’ data in the first place. They therefore explained that they had used the password “123454321” to protect all of the executable files for the purpose of preventing AV software from automatically flagging them as malicious.

The ransomware’s authors also explained that those who were experiencing difficulties in using the decryption keys to recover their files could (Read more...)