cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Claim your free VMworld 2020 ticket now for a completely digital experience to learn about how VMware Carbon Black can protect you from sophisticated threats.

TAU-TIN - Shade Ransomware

TAU-TIN - Shade Ransomware

Threat Analysis Unit - Threat Intelligence Notification

Title: TAU-TIN – Shade Ransomware

Source: https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/

Summary

Recently there is a new wave of malicious spam campaign distributing Shade ransomware via sending malicious JavaScript attachments. The spam campaign was mainly targeting users from Russia, and the ransom note was written in both Russian and English. This variant of Shade ransomware will append “.crypted000007” as file extension to the encrypted file. After the encryption is complete, it will change the desktop background as shown in Figure 1.

Screen Shot 2019-01-29 at 8.07.44 AM.pngFigure 1: Screenshot of the ransom note on Desktop.

In addition, it will leave several copies of ransom notes named as “README1.txt”, following until “README10.txt”, the content was shown as in Figure 2.

Screen Shot 2019-01-29 at 8.10.23 AM.pngFigure 2: Screenshot of the ransom note.

Shade ransomware will also attempt to delete volume shadow copies to ensure that data cannot be restored easily. Other than that, it will also connect to C&C server, download additional malicious payloads such as crypto-mining malware and install onto the system.

Screen Shot 2019-01-31 at 3.53.21 AM.png

Figure 3: Process tree carried out by the ransomware.

This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against Shade Ransomware.

Labels (1)
Tags (1)
0 Kudos
Article Information
Author:
Creation Date:
‎03-05-2019
Views:
647