Threat Analysis Unit - Threat Intelligence Notification

Title: TAU-TIN – Shade Ransomware

Source: https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/

Summary

Recently there is a new wave of malicious spam campaign distributing Shade ransomware via sending malicious JavaScript attachments. The spam campaign was mainly targeting users from Russia, and the ransom note was written in both Russian and English. This variant of Shade ransomware will append “.crypted000007” as file extension to the encrypted file. After the encryption is complete, it will change the desktop background as shown in Figure 1.

Figure 1: Screenshot of the ransom note on Desktop.

In addition, it will leave several copies of ransom notes named as “README1.txt”, following until “README10.txt”, the content was shown as in Figure 2.

Figure 2: Screenshot of the ransom note.

Shade ransomware will also attempt to delete volume shadow copies to ensure that data cannot be restored easily. Other than that, it will also connect to C&C server, download additional malicious payloads such as crypto-mining malware and install onto the system.

Figure 3: Process tree carried out by the ransomware.

This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against Shade Ransomware.