For the victims of the Shade Ransomware, otherwise known as Troldesh, this was an excellent week as the threat actors released over 750,000 decryption keys for their victims.
The Shade operators claimed to have shut down their operation at the end of 2019 and decided to release all of the master and individual decryption keys so that victims could recover their files for free.
Using these keys, Kaspersky has updated its ShadeDecryptor so that it can now decrypt any user who was encrypted by the Shade Ransomware in the past.
Other news this week includes a pharmaceutical company named ExecuPharm who filed a data breach notification after the actors behind the Clop Ransomware leaked stolen data.
Other than that, it was just more releases of new variants of existing ransomware.
Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @demonslay335, @malwrhunterteam, @struppigel, @FourOctets, @fwosar, @BleepinComputer, @serghei, @jorntvdw, @Ionut_Ilascu, @VK_Intel, @Seifreed, @LawrenceAbrams, @malwareforme, @PolarToffee, @emsisoft, @ValthekOn, @John_Fokker, @fbgwls245, @coveware, @James_inthe_box, and @Amigo_A_.
April 25th 2020
MalwareHunterTeam found a COVID-19 themed Android ransomware infection that appends the .encrypted extension to encrypted files.
April 26th 2020
dnwls0719 found a new variant of the STOP ransomware that appends the the .qewe extension to encrypted files.
April 27th 2020
The operators behind the Shade Ransomware (Troldesh) have shut down their operations, released over 750,000 decryption keys, and apologized for the harm they caused their victims.
April 29th 2020
The Coveware ransomware marketplace report aggregates observed trends from enterprise ransomware incidents in Q1 of 2020. During the first quarter of 2020 ransomware threat actors took advantage of the economic and workplace disruption caused by the COVID-19 outbreak. Spam attacks related to the outbreak surged and seldom used ‘work-from-home’ network configurations led to increased ransomware attacks across the board. Some threat actor groups continued attacking healthcare organizations, while others refused to target them. Our report shows victim demographics and resolution metrics based on actual ransomware cases handled by the Coveware Incident Response team.
April 30th 2020
Clop ransomware leaked files stolen from U.S pharmaceutical company ExecuPharm after ransom negotiations allegedly failed.
Kaspersky has released an updated decryptor for the Shade Ransomware (Troldesh) that allows all victims who have their files encrypted to recover them for free.
We believe there is real opportunity to learn from incident response cases and previous attacks, hence why this blog is dubbed ‘tales from the trenches’. In collaboration with Northwave, this article describes a real-life case of a targeted ransomware attack. During one of their recent incident responses, Northwave encountered a relatively new family of ransomware called LockBit performing a targeted attack.
May 1st 2020
A new phishing campaign is distributing a double-punch of a LokiBot information-stealing malware along with a second payload in the form of the Jigsaw Ransomware.
Emsisoft released an updated decryptor to support the .zemblax extension described in the previous article.
Michael Gillespie found a new variant of the STOP ransomware that appends the .mpal extension to encrypted files.