Shade Ransomware Is the Most Actively Distributed Malware via Email

Posted by & filed under Security Alerts.

During the first half of 2019, the Shade Ransomware (also known as Troldesh) was the most actively distributed malware via malicious email phishing campaigns according to Singapore-based Group-IB security outfit.

Out of all malspam emails detected and examined by Group-IB’s Computer Emergency Response Team (CERT-GIB), Shade Ransomware was the main malware strain used by attackers to infect their targets’ computers in H1 2019.

“Currently, three of the most widespread tools used in attacks tracked by Group-IB’s Computer Emergency Response Team have been Troldesh (53%), RTM (17%) and Pony Formgrabber (6%),” the researchers claim.

Based on their results, ransomware has seen a huge boost in usage during malicious campaigns when compared to malware activity from 2018 dominated by backdoors and banking Trojans, with attacks detected during this year even surpassing the ransomware boom from 2017.

“In 2018, the major vector for financial losses was via bank Trojans and backdoors, whereas the first half of 2019 showed a rapid increase in ransomware usage,” the report says.

Shade Ransomware is a strain sold or rented on various crimeware markets and a ransomware known for using constantly changing Tor command-and-control (C2) servers that make it harder to block.

While not necessarily new on the malware scene, Shade Ransomware is constantly upgraded with new features and capabilities which keeps the demand up and its creators busy updating it.

Luckily, two Shade Ransomware decryptor tools created by Kaspersky Lab and Intel Security are available on the No More Ransom website, although it’s important to mention that they only work for some older variants.

“Recent campaigns with Troldesh have shown that now it not only encrypts files, but also cryptocurrency mine and generates traffic to websites to increase traffic and revenue from online advertising,” as Group-IB researchers also said at the time.

Group-IB previously highlighted a June 2019 spike in Shade Ransomware infections when they “discovered more than 1,100 phishing emails containing Troldesh, while in the second quarter of 2019 their number exceeded 6,000.”

Shade Ransomware (Troldesh) June 2019 activity


The Shade Ransomware increase in activity from June was also confirmed by researchers at Avast who stated that the campaign they monitored predominantly targeted Mexico and Russia, with potential victims from the UK and Germany also being heavily targeted.

Malwarebytes researchers also spotted an activity spike during February 2019, reporting a “sharp increase in detections from Q4 2018 to Q1 2019” as part of “of an active, successful campaign.”

“What sets Troldesh apart from other ransomware variants is the huge number of readme#.txt files with the ransom note dropped on the affected system, and the contact by email with the threat actor,” Malwarebytes Labs said.

“Otherwise, it employs a classic attack vector that relies heavily on tricking uninformed victims. Nevertheless, it has been quite successful in the past, and in its current wave of attacks,” the researchers concluded.

In related news, the U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) issued a public service announcement on October 2 regarding the increasing number of high-impact ransomware attacks targeting both public and private U.S. organizations.

The PSA came one day after several hospitals and health service providers from the U.S. and Australia were forced to completely or partially shut down their computing systems following ransomware attacks that affected and disrupted their IT systems.

This week, the state government of Louisiana was also hit by a ransomware attack that affected several state services including the Office of Motor Vehicles, the Department of Health, and the Department of Transportation and Development.

The US Senate also passed the ‘DHS Cyber Hunt and Incident Response Teams Act’ during late September in response to this year’s rampant ransomware attacks against US entities, to authorize the Department of Homeland Security (DHS) to maintain incident response teams for helping private and public orgs defend against cyber-attacks and ransomware in particular.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.