Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

TAU-TIN - Shade Ransomware

TAU-TIN - Shade Ransomware

Threat Analysis Unit - Threat Intelligence Notification

Title: TAU-TIN – Shade Ransomware



Recently there is a new wave of malicious spam campaign distributing Shade ransomware via sending malicious JavaScript attachments. The spam campaign was mainly targeting users from Russia, and the ransom note was written in both Russian and English. This variant of Shade ransomware will append “.crypted000007” as file extension to the encrypted file. After the encryption is complete, it will change the desktop background as shown in Figure 1.

Screen Shot 2019-01-29 at 8.07.44 AM.pngFigure 1: Screenshot of the ransom note on Desktop.

In addition, it will leave several copies of ransom notes named as “README1.txt”, following until “README10.txt”, the content was shown as in Figure 2.

Screen Shot 2019-01-29 at 8.10.23 AM.pngFigure 2: Screenshot of the ransom note.

Shade ransomware will also attempt to delete volume shadow copies to ensure that data cannot be restored easily. Other than that, it will also connect to C&C server, download additional malicious payloads such as crypto-mining malware and install onto the system.

Screen Shot 2019-01-31 at 3.53.21 AM.png

Figure 3: Process tree carried out by the ransomware.

This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against Shade Ransomware.

Labels (1)
Tags (1)
0 Kudos
Article Information
Creation Date: