Back in 2014, Kaspersky Lab researchers uncovered the Shade ransomware. It was a ransomware that primarily focused on Russian targets, but also focused on nations of the former Soviet Union where Russian is still an official language. The ransomware spread via two major attack vectors, spam emails with malicious file attachments and exploit kits (in particular NuclearEK). According to new research, however, it appears that after years of localized attacks in Eastern Europe the Shade ransomware is expanding its focus.
The research in question comes from Palo Alto Networks’ Unit 42 group, specifically an analysis written by researcher Brad Duncan. In his report, Duncan states that the primary targets for the Shade ransomware are United States, Japan, India, Thailand, and Canada. According to the data collected, Russia is actually now the seventh-ranked nation facing Shade ransomware (compared to its No. 1 status in the past). The areas that threat actors seem to be deploying the Shade ransomware against include high-tech, wholesale, and education sectors. The motives of the threat actors and their identities are not known at this time.
As for the actual ransomware itself, one might wonder as to how much it has changed since 2014. Duncan touches on this in his analysis, stating the following:
The Shade ransomware executable (EXE) has been remarkably consistent. All EXE samples we have analyzed since 2016 use the same Tor address at cryptsen7f043rr6.onion as a decryptor page. The desktop background that appears during an infection has been the same since Shade was first reported as Troldesh in late 2014… Recent reports of malspam pushing Shade ransomware have focused on distribution through Russian language emails. However, Shade decryption instructions have always included English as well as Russian text. English language waves of malspam have been noted pushing Shade ransomware, like this wave of IRS notifications targeting recipients in the United States in 2017.
The ransomware does not reinvent the wheel in its approach, but it nevertheless remains incredibly effective. Cybersecurity experts, especially those who work in-house at companies, should be on the lookout for malspam and warn fellow employees against possible Shade ransomware attacks. Ransomware is only as strong as you let it be, and unfortunately, many still fall for its dirty tricks.
Featured image: Flickr / Christiaan Colen