{"id":2675,"date":"2024-09-25T19:29:11","date_gmt":"2024-09-25T19:29:11","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2675"},"modified":"2025-07-29T06:08:08","modified_gmt":"2025-07-29T06:08:08","slug":"shade-ransomware-returns-to-throw-shade-at-authorities","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/shade-ransomware-returns-to-throw-shade-at-authorities\/","title":{"rendered":"Shade ransomware returns to throw shade at authorities"},"content":{"rendered":"
\n
\"Shade
Shade ransomware returns to throw shade at authorities<\/figcaption><\/figure>\n<\/div>\n\n\n

Despite the collective efforts of Europol, Intel, Kasperksy, and the Dutch cybercrime unit to eradicate the Shade ransomware<\/a>, the strain has returned and its authors are now mocking the authorities who tried to bring it down.  

Last year\u2019s attempted takedown was performed under the banner of the No More Ransom<\/a> initiative, whose aim is to attack ransomware control systems and publish free decryption keys.

While initially successfully, Shade has returned and added the extension \u201c.no_more_ransom\u201d (among others) to encrypted files \u2013 a clear swipe at last year\u2019s venture.

LMNTRIX Labs discovered the latest sample earlier this month. This new variant has been predominately targeting users in the UK, France, Germany, Italy, Ukraine, and Russia. 

Overview<\/strong>

Shade, aka Troldesh, belongs to a family of ransomware whose primary attack vectors are either malicious spam or exploit kits. Exploit kit attacks are particularly damaging as the victim does not necessarily have to open any file for the infection to occur \u2013 a single visit to any infected website is enough to initiate the infection process.

In its more mundane form, Shade spreads via emails containing malicious links which download a zipped JavaScript (JS) file or a Word document. When the JavaScript file is executed, it installs the ransomware.

After successful infection, Shade encrypts most files stored on the infected machine, changes the desktop background and creates a .txt file which includes the ransom demand and directions on how to pay.

The latest version adds the .crypted000007, .no_more_ransom, .better_call_saul, .breaking bad, .heisenberg, .windows10, .7h9r, .xtbl, .ytbl or .da_vinci_code extensions to encrypted files.

Shade also connects with multiple Command and Control servers in order to receive configuration data and other information about the victim\u2019s computer. 

File Details<\/strong><\/p>\n\n\n\n

File Type<\/td>Portable Executable (PE)  File<\/td><\/tr>
Md5 hash <\/td>15ebea98889b4d50c8db1c3b9d09b716<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Static Analysis <\/strong>

Once executed, Shade\u2019s functionality includes:

\u2022    Creating registries

\u2022    Deleting files

\u2022    Dropping further malware

\u2022    Gaining command line (cmd.exe) access

\u2022    Confirming file version and size before encrypting

\u2022    Shutting down the computer after successful infection

Full functionality is illustrated below:

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

      

Dynamic Analysis <\/strong>

LMNTRIX researchers executed Shade in a dedicated virtual environment in order to analyse its behavior in terms of processes being created, files dropped\/deleted, registry values added\/deleted, and network communications (Command and Control servers involved), etc.

After execution, Shade (or sd01.exe) starts another child process with the same name, which disappears after some time:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



The initial process then contacts the following IP addresses:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


As the infection continues, the number of CnC servers contacted quickly increases. The multiple CnC callbacks and malware downloads indicates the infected machine is also conscripted to act as part of Shade\u2019s botnet network. This could also be seen as a further slight at the authorities behind last year\u2019s take down effort, as the latest variant\u2019s expansive CnC infrastructure would be much harder to eradicate:

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Next, more executable processes were initiated\u2026<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

 
\u2026 which lead to even more CnC callbacks:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



Finally, the user\u2019s files are encrypted and the victim\u2019s desktop is changed to display the ransom note:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



Memory Analysis<\/strong>

Next, we took an image of the RAM for further investigation and found the main executable process remained persistent, along with multiple child processes which kicked in after the initial executable was launched:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


<\/p>\n\n\n\n

We were also able to see all the active connections Shade called out to, as well as the number of instances of the executable file:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n



\"\"   
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Command and Control<\/strong>

Below are the IP addresses involved during Shade\u2019s infection cycle \u2013 there were 19 in total:

208.83.223.34    

86.59.21.38

142.44.210.91 

87.239.81.27 

93.180.156.84

128.31.0.39 

194.109.206.212

86.59.21.38

204.9.50.25

145.239.82.204

178.254.25.6

185.82.216.5

62.210.123.24

212.201.68.152

94.23.199.191 

198.12.145.239

209.99.40.223

67.23.244.66

208.91.198.231

MD5 hash of the file analyzed: 15ebea98889b4d50c8db1c3b9d09b716 

Dropped files<\/strong>

\u2022    C:\\Users\\test\\AppData\\Local\\<user-name>\\077F8DB3.exe 

o    md5: c1182260e1ba1f930e591a98e75552d9

\u2022    C:\\Users\\test\\AppData\\Local\\<user-name>\\31C13E52.exe 

o    md5: d668221d749214aac4e04d3daae07f7f

\u2022    C:\\Users\\test\\AppData\\Local\\<user-name>\\DD23EF15.exe 

o    md5: 8fbe9a961300fb62df587ed708160655  

\u2022    C:\\Users\\test\\AppData\\Local\\<user-name>\\FE87884C.exe 

o    md5: 85d881193d41b4fcb0a27b6e2243a0dc

Protection Measures <\/strong>

Given the additional extensions added to encrypted files, last year\u2019s nomoreransom.org decryption key may no longer decrypt files scrambled by Shade. Below are general cyber hygiene tips to minimize the chances of any infection, or enable a quick recovery in the event you do fall victim to ransomware:

\u2022    Keep frequent file back-ups on an external memory device or cloud-based storage.

\u2022    Keep security programs updated.

\u2022    Avoid visiting websites considered unsafe, particularly those with pirated or illegal content.

\u2022    Use a reliable anti-spam filter to block spam emails with malicious file attachments from ever entering your inbox.<\/p>\n","protected":false},"excerpt":{"rendered":"

Despite the collective efforts of Europol, Intel, Kasperksy, and the Dutch cybercrime unit to eradicate the Shade ransomware, the strain has returned and its authors are now mocking the authorities who tried to bring it down.   Last year’s attempted takedown was performed under the banner of the No More Ransom initiative, whose aim is […]<\/p>\n","protected":false},"author":1,"featured_media":2710,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2675","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2675","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2675"}],"version-history":[{"count":5,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2675\/revisions"}],"predecessor-version":[{"id":4304,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2675\/revisions\/4304"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2710"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2675"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2675"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2675"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}