The “Troldesh” Ransomware Terminates Operations and Releases Decryption Keys

By Bill Toulas / April 28, 2020

The actors behind the “Shade” ransomware, also known as “Troldesh,” have decided to pull the plug and give away 750,000 decryption keys for free. The particular strain has been around since 2014 and remained quite active until its last days. Back in August 2019, we reported a notable rise in Troldesh deployments, which made use of compromised websites - although we pointed out the low success rates. In 82% of the time, AV tools detected Troldesh and stopped it from encrypting files, so the strain wasn’t doing great lately.

As the actors announced on GitHub yesterday, they are ceasing operations and releasing all decryption keys, their decryption software source code, and instructions on how to decrypt your files. They also pointed out that AV companies may use this information to develop easy-to-use decryption tools for everyone out there. Moreover, they stated that the source code of their trojan was irrevocably destroyed. The operators claim they stopped distributing “Troldesh” at the end of 2019, and they also apologized to all the people who fell victims to their campaigns. Does this mean the ransomware gang experienced a sudden ethical enlightenment? Could be, but we reckon it’s just that Troldesh was failing out there.

Kaspersky researcher Sergey Golovanov tested out some of the master decryption keys and confirmed their validity. However, non-tech-savvy users are advised to avoid trying to decrypt their locked files and to maintain their patience for a little while longer. The process isn’t simple, and one could potentially cause irreversible damage, preventing the success of any future restoration efforts. That said, we would recommend waiting for Emsisoft or any other reputable anti-virus product vendor to create a decryptor. It won’t take long, and it will be available for free, so waiting is your best bet right now.

The victim count of 750,000 indicates that Troldesh was distributed en masse, so it wasn’t used in narrow-targeting operations. This isn’t the way things work anymore in the ransomware scene, so locking down random systems here and there is just not worth it. As we acknowledged recently, even highly successful strains like the Nemty are closing down for the public in order to focus their resources and firepower on more valuable targets. Although this is good news for casual internet users, ransomware infections on the top-level set a wheel of consequences in motion and they can eventually affect an even larger number of people.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: