Shade ransomware is a long-established family of ransomware first spotted in late 2014 targeting hosts running Microsoft Windows. It is also known as Troldesh. Shade has been distributed through malicious spam (malspam) and exploit kits. A recent report focused on Russian language emails that deliver Shade, but this ransomware is also distributed through English-language malspam.
Where is Shade currently appearing? To answer this question, we reviewed recent trends in Shade ransomware among our customer base. Our results indicate the majority of recent Shade ransomware executables have also targeted users outside of Russia.
In fact, our research shows that the top five countries affected by Shade ransomware are not Russia or nations of the former Soviet Union, they are the United States, Japan, India, Thailand, and Canada, Russia only occurs at number seven and the only other country we found in the top ten where Russian is an official language is Kazakhstan at number ten. The top industries attacked in these countries were High-Tech, Wholesale, and Education.
Very Little Change Since 2016
The Shade ransomware executable (EXE) has been remarkably consistent. All EXE samples we have analyzed since 2016 use the same Tor address at cryptsen7f043rr6.onion as a decryptor page. The desktop background that appears during an infection has been the same since Shade was first reported as Troldesh in late 2014.