Hackers shutdown Shade & Troldesh Ransomware operation and release 750,000 decryption keys. But why?

According to security testing course specialists, the group of malicious hackers behind ransomware attacks using the malware variant Shade (also known as Troldesh) have decided to shut down their operations. The hackers released more than 750,000 decryption keys and apologized for the inconvenience caused to the victims of their attacks. This hacking group was active for almost six years and, unlike other ransomware attack operator groups, its victims were mainly based in Ukraine and Russia.

Michael Gillespie, founder of ID Ransomware (a platform to help victims of encryption malware) mentions that queries on his Shade-related website began to decline in late 2019, after remaining at constant levels for nearly three years. For obvious reasons, this behavior caught the attention of the cybersecurity community.

Security testing course experts mention that the answer to this question finally came last weekend, when Shade operators created a repository on GitHub and posted a message saying they stopped distributing this malware for a few months now.  

“We are the computer that developed the encryption Trojan known as Shade, Troldesh or Encoder.858. We stopped the distribution of malware at the end of 2019; today, we have made the decision to stop any operation and publish all the decryption keys we have (more than 750 thousand in total). We hope antivirus companies can collaborate to make the decryption process easier. We apologize to all victims of this malware and hope that the published keys will be useful for them to retrieve their data,” the GitHub post says.  

In addition to the 750 thousand unique decryption keys, the repository includes five master keys, instructions for use, and a link to a decryption tool, security testing course experts mention. On the other hand, Kaspersky researchers confirmed that these keys are legitimate after some tests are performed.

Despite this, not all are good news, as the use of this decryption tool is somewhat complex, which can make it difficult for users with less technical knowledge to recover their information encrypted by Shade. 

The International Institute of Cyber Security (IICS) recommends that users affected by this malware check whether platforms like No More Ransom have increased reports on this incident. Other computer security platforms and companies might also be developing a decryption tool.