The “Troldesh” Ransomware Terminates Operations and Releases Decryption Keys

• Troldesh announces the end of the road and releases master keys and hundreds of thousands of individual keys.
• The actors apologized to their targets and shared the decryptor’s source code for the development of easy-to-use tools.
• Victims are advised to wait for a while until AV companies release automatic decryptors; otherwise, there’s a risk of rendering the files non-retrievable.

The actors behind the “Shade” ransomware, also known as “Troldesh,” have decided to pull the plug and give away 750,000 decryption keys for free. The particular strain has been around since 2014 and remained quite active until its last days. Back in August 2019, we reported a notable rise in Troldesh deployments, which made use of compromised websites - although we pointed out the low success rates. In 82% of the time, AV tools detected Troldesh and stopped it from encrypting files, so the strain wasn’t doing great lately.

As the actors announced on GitHub yesterday, they are ceasing operations and releasing all decryption keys, their decryption software source code, and instructions on how to decrypt your files. They also pointed out that AV companies may use this information to develop easy-to-use decryption tools for everyone out there. Moreover, they stated that the source code of their trojan was irrevocably destroyed. The operators claim they stopped distributing “Troldesh” at the end of 2019, and they also apologized to all the people who fell victims to their campaigns. Does this mean the ransomware gang experienced a sudden ethical enlightenment? Could be, but we reckon it’s just that Troldesh was failing out there.

#Shade #Troldesh #Encoder.858 #ransomware just dropped all keys to public https://t.co/KhmrMJOieZ decryption tools will be available ASAP!

— Sergey @k1k_ Golovanov📡 (@k1k_) April 27, 2020

Kaspersky researcher Sergey Golovanov tested out some of the master decryption keys and confirmed their validity. However, non-tech-savvy users are advised to avoid trying to decrypt their locked files and to maintain their patience for a little while longer. The process isn’t simple, and one could potentially cause irreversible damage, preventing the success of any future restoration efforts. That said, we would recommend waiting for Emsisoft or any other reputable anti-virus product vendor to create a decryptor. It won’t take long, and it will be available for free, so waiting is your best bet right now.

The victim count of 750,000 indicates that Troldesh was distributed en masse, so it wasn’t used in narrow-targeting operations. This isn’t the way things work anymore in the ransomware scene, so locking down random systems here and there is just not worth it. As we acknowledged recently, even highly successful strains like the Nemty are closing down for the public in order to focus their resources and firepower on more valuable targets. Although this is good news for casual internet users, ransomware infections on the top-level set a wheel of consequences in motion and they can eventually affect an even larger number of people.