Shade ransomware calls it a day, 750,000 decryption keys released

Graham Cluley
@gcluley

Don’t ever give up hope that you’ll never get back the data encrypted on your computer by a ransomware infection.

Even if you aren’t prepared or able to pay the extortionists’ ransom, even if you don’t have a secure backup, there might still be a glimmer of hope.

For instance, news comes this week that the criminals behind the Shade ransomware not only decided to stop spreading their attacks at the end of last year, but they have also now released over 750,000 decryption keys to help victims restore their precious data.

Sign up to our newsletter
Security news, advice, and tips.

In a GitHub post, the so-called Shade Team announced that they were also publishing the source code for their decryption tools, in the hope that others might create their own easier-to-use decryption tools to help regular users.

“We are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all). We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed.”

In a tweet Kaspersky security researcher Sergey Golovanov confirmed that the decryption keys worked as advertised.

Quite what spurred this change of heart is unclear, but it’s certainly refreshing to hear a ransomware gang apologise to the many innocent people who will have suffered after their computers were hit:

We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.

Reading the decryption instructions published by the Shade Team it’s clear that not everyone will feel comfortable undertaking the process, and may find it better to ask a geeky friend to assist them. Let’s hope that researchers will be able to create easy-to-use tools soon that will help innocent victims recover data that they might have imagined they would never see again.

And there’s a lesson for all of us – never give up hope. Even if you can’t pay the ransom and don’t have a backup, don’t destroy your garbled data believing that you’ll never be able to recover it. Maybe one day someone will build a tool that can do a job, or a ransomware gang will have a change of heart.

Now if we can just stop ransomware gangs infecting health services we would really be making some progress…

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 comments on “Shade ransomware calls it a day, 750,000 decryption keys released”

  1. I personally think this might be a bit too late for the companies. It's been months already so I assume they either lost a lot of money (or their business) in the process, or restored their systems from backups immediately.
    And although the first impression is to say they did a good things, I think this is a similar reaction as in Stockholm Syndrome.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.