CONTEXT:
Over the years, ransomware has caused huge damage to the business firm as well as the common user. One of its type “shade-ransomware” has recently affected many enterprises. The crew behind the ransomware was first spotted in late 2014. Initially, targeting Russian victims, apologized to victims in a post on GitHub. The threat actors behind the Shade ransomware have acknowledged it as quits. The team released nearly 750,000 encryption keys on GitHub. They have also apologized to the victims of shade ransomware, who were affected by the malware. Insight:
Shade Team has posted four files on the code repository and uploaded it on Github. One of the following files contains the file keys and four “ReadMe” files consisting of decryption instructions and other relative erudition. Later on, the team wrote that all the relevant data to the other group’s activity, including the trojan’s source code, was irrevocably eliminated. One of the security personnel also stated :
“We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools”
Shade-ransomware was first discovered in late 2014 by Kaspersky. Initially, the malware was intended to mainly target the Russian victims. The ransomware was capable of encrypts files and adds various extensions that could potentially trigger Remote Code Execution(RCE). The ransomware was mainly intended to spread over mail spam emails. Also, the researchers at the time of its discovery mentioned that the ransomware has quickly established itself as the top three most widespread encryptors. What is the methodology of the shade ransomware?
Ransomware attacks are mainly intended to encrypt the important data sets, eventually affecting the Master Boot Record(MBR). Typically, shade ransomware is meant to carry malicious emails that consist of an archive attachment or attached PDF. The attached file further links to an archive that was disguised as an invoice or bill. These links and attachments then redirect the user to a Javascript or other script-based file that is designed to download and execute the Shade executable file.
Last year, however, research from Palo Alto Networks’ Unit 42 emerged that Shade’s threat actors had expanded their scope outside of Russia with the majority of the ransomware’s executables occurring in other countries. At the time, researchers said that the top five countries affected by Shade were the United States, Japan, India, Thailand, and Canada.
Security personnel and researchers also noted the compatibility of Shade’s payload how it prevailed during the five years and how the ransomware remained active over time. When a Windows host became infected with Shade ransomware, its desktop background stated the infection, and then 10 text files would appear on the desktop, named README1.txt through README10.txt.The desktop background message of the attack appeared as:
“Attention! All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.”
How to mitigate such attacks?
Prevention must be the top priority. Shade ransomware is mainly transmitted through spam mails. Phishing emails are very well interpreted which leads to believe in the crook content.
Therefore, It’s very crucial to verify the legitimate source of the email. Apart from this follow the below steps to prevent such Attacks:
Update your system to its latest version. Mainly, Exploit satchels hosted on compromised websites are commonly used to spread intrusions. Hence, as a part of prevention, regular patching of vulnerable software is mandatory.
Besides, disable javascript for your browser to avoid remote intrusions.
Install WAF(web application firewall) and keep your security software up to date. It’s important to use antivirus software from a reputable company, doing so, will reduce the chances of security failure.
Avoid providing personal information when responding to an email, gratuitous phone call, text message, or instant message. Intruders will trick employees into installing backdoor malware or manipulate the employee by claiming themselves to be from an IT firm. Make convinced to contact your IT department if you or your coworkers receive suspicious calls
Also, Shade ransomware downloads a payload comprising executable files that upload user data to the malicious server. Therefore, have a keen look at your daily data usage.