This is a security alert for all TruShield clients and the community as a whole. We have learned of a new update to Shade Ransomware. The update allows for the ransomware to search for the precise file extension and execute upon finding it, and it also downloads additional malware to the system.
About Shade Ransomware
Shade Ransomware is an encryption ransomware and like most ransomware it encrypts a victim’s computer files based on an extension list that has to be matched, and then asks for payment or a ransom to decrypt it. This ransomware affects Russia, Ukraine and Germany. It surfaced in late 2014 to early 2015. At the time it was one of the most widespread encryptors in Russia. It’s being detected as “Trojan-Ransom.Win32.Shade, Trojan.Encoder.858, Ransom:Win32/Troldesh”.
Shade ransomware is delivered via spam and infection occurs when the file in the attachment is clicked to open. Another method of delivery is through the use of exploit kits and that happens when a user visits a website that has been compromised. Next, that the malicious code on that website is then used to exploit vulnerabilities within the user’s browser where the malware is downloaded. In this instance no executable runs and the user is aware of what is going on in the background.
Once the system is infected with the Trojan, it gets a public RSA-3072 key by communication to its C&C server, and this same key is used to encrypt the files. Once it finishes its encryption and demands a ransom, the malware “starts an infinite loop in which it requests a list from the C&C server containing the URLs of additional malware. It then downloads that malware and installs it in the system.” as stated by Securelist researchers.
The following malware are downloaded:
- Win32.CMSBrute (a more detailed description is provided below).
The extension that it adds to the files after it encrypts it are .xtbl, and .ytbl. This Trojan is used to bruteforcing website passwords. The new update to this malware “looks for strings associated with banking softwares and, if it does find it, it executes a file from a URL in its configuration” as stated on Securityweek’s news website. It also downloads additional malware to the victim’s system and the code associated with doing this is known as Teamspy. This bot spies on its victim to determine the amount of cash that it should ask for as ransom.
Indicators of Compromise
|documenti dlea podpisi 05.08.2015.scr.exe|
|akt sverki za 17082015.scr|
- Back up all of your files using an external memory device or a Cloud-based backup method.
- Use a strong security program that is fully up-to-date to intercept any threatening components.
- Avoid visiting websites considered unsafe, such as pornographic websites or websites with pirated content.
- Use a reliable anti-spam filter to ensure that spam emails with threatening file attachments never make it to your inbox.
Ransomware seems to become more rampant and advanced. New and old ones are being updated to try out new techniques, and this will probably become the trend of the future. This is why it is important to raise awareness about new ones that are discovered or old ones that are updated because it will help in deterring them and also prevent infections from taking place. This is not the end of this ransomware, and there will be more variants and modes of operation for the Shade Ransomware and they will only become more intelligent in the way that it ask for ransoms.