Figure 1: Screenshot of the ransom note on Desktop.
In addition, it will leave several copies of ransom notes named as “README1.txt”, following until “README10.txt”, the content was shown as in Figure 2.
Figure 2: Screenshot of the ransom note.
Shade ransomware will also attempt to delete volume shadow copies to ensure that data cannot be restored easily. Other than that, it will also connect to C&C server, download additional malicious payloads such as crypto-mining malware and install onto the system.
Figure 3: Process tree carried out by the ransomware.
This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against Shade Ransomware.