Home Malware Programs Ransomware Shade Ransomware

Shade Ransomware

Posted: September 24, 2015

Threat Metric

Ranking: 14,912
Threat Level: 10/10
Infected PCs: 10,806
First Seen: September 23, 2015
Last Seen: October 16, 2023
OS(es) Affected: Windows

The Shade Ransomware is a file encryption Trojan, or a Trojan that encrypts your files to make them unreadable. These attacks normally are followed by ransom demands for transferring money to 'buy' a decryption key for reversing the attack. Because of the suspect reliability and sheer illegality of these transactions, malware researchers advise using other solutions, such as deleting the Shade Ransomware with any anti-malware scanner, and then restoring your files from a secure backup.

Shades of an Old Tactic Still Profiteering

Russia is notable for its intractability to military invasion, but, in contrast, has become a fertile hotbed for another kind of war: the development and distribution of threats. The Shade Ransomware is one of the newest file encryptors to take advantage of the Russian legal climate. Unlike the products of more paranoid threat authors, the Shade Ransomware targets its attacks at Russian residents, as well as at English-speaking PC owners. Currently, malware researchers anticipate the abuse of e-mail spam for delivering the Shade Ransomware to victims with compromised addresses.

The Shade Ransomware's main payload operates in a method similar to that of other file encryptors, like DESKRYPTEDN81 Ransomware (also conducting campaigns in the same region). The Shade Ransomware scans the victim's hard drive for files falling under specific formats, such as GIF images or TXT text files, and modifies them with a simple encryption attack. This encryption blocks relevant programs from opening and reading these files, although all data is, in theory, recoverable.

Following this attack, the Shade Ransomware uses a combination of images and text instructions to deliver a ransom note and demands for you to contact an included e-mail address where you will find out how to transfer payment. Ransoms from the Shade Ransomware attacks may reach sums of up to 500 USD. Like similar threats, the Shade Ransomware also claims to be programmed to delete your files after you try to use other methods of data recovery. Malware analysts haven't confirmed this function, which may be a bluff.

No matter what nation you live in, file encryptors are threats best dealt with by using habitual, standardized means of data protection. Placing your files on a Cloud storage server or an unconnected device (such as any USB 'thumb' drive) can place them out of reach of the Shade Ransomware's attacks. Freeware file decryptors also are made available by various PC security institutions, and can provide some means of data recovery for PC users who failed to backup their information beforehand. Without any surety that the Shade Ransomware's perpetrators will honor their word, paying their ransom can be assumed to be self-destructive, at best.

PCs compromised by this threat should receive scans from their anti-malware products with all due attempts made to minimize any interferences by other threats. The Shade Ransomware hasn't been seen using other attacks of any note, but malware experts often see file encryptors supported by additional 'wingman' threats, such as backdoor Trojans. The lack of any further file-encrypting attacks shouldn't be assumed to be a sign of the Shade Ransomware's successful removal until your anti-malware solutions can verify your PC's health.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%ALLUSERSPROFILE%\Windows\csrss.exe File name: csrss.exe
Size: 901.12 KB (901120 bytes)
MD5: ab2e8454afb5c75203112e3d8dcae230
Detection count: 248
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Windows
Group: Malware file
Last Updated: February 2, 2017
%ALLUSERSPROFILE%\Csrss\csrss.exe File name: csrss.exe
Size: 1.03 MB (1032704 bytes)
MD5: b16c65233fa26ceea22ef9043cfae1ea
Detection count: 162
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Csrss
Group: Malware file
Last Updated: February 2, 2017
%ALLUSERSPROFILE%\Csrss\csrss.exe File name: csrss.exe
Size: 1.03 MB (1032192 bytes)
MD5: 2a7c8bca9ad261e4b62710b9363c1701
Detection count: 157
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Csrss
Group: Malware file
Last Updated: February 2, 2017
%ALLUSERSPROFILE%\Windows\csrss.exe File name: csrss.exe
Size: 1.2 MB (1200128 bytes)
MD5: 00e5fd81757577c200885ead52a069b4
Detection count: 119
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Windows
Group: Malware file
Last Updated: February 2, 2017
%ALLUSERSPROFILE%\windows\csrss.exe File name: csrss.exe
Size: 1.84 MB (1842688 bytes)
MD5: 97f5363fde5840aa0955fa7973b55bd6
Detection count: 65
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\windows
Group: Malware file
Last Updated: October 17, 2018
%ALLUSERSPROFILE%\windows\csrss.exe File name: csrss.exe
Size: 1.88 MB (1887232 bytes)
MD5: c205c5c82decdc6426898cdfcf10ec32
Detection count: 59
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\windows
Group: Malware file
Last Updated: February 2, 2017
%ALLUSERSPROFILE%\Csrss\csrss.exe File name: csrss.exe
Size: 1.09 MB (1090560 bytes)
MD5: 6f14ef7bc3bcb59d1b9aed257ff06567
Detection count: 55
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Csrss
Group: Malware file
Last Updated: February 2, 2017
doc.exe File name: doc.exe
Size: 557.84 KB (557843 bytes)
MD5: dfcd797a1ffdab6dbedafe190d0992ad
Detection count: 52
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 11, 2015
%ALLUSERSPROFILE%\windows\csrss.exe File name: csrss.exe
Size: 952.83 KB (952832 bytes)
MD5: 5d543cb856073fc4ca3d7839a049d5b5
Detection count: 52
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\windows
Group: Malware file
Last Updated: February 2, 2017
%ALLUSERSPROFILE%\Application Data\Windows\csrss.exe File name: csrss.exe
Size: 929.74 KB (929742 bytes)
MD5: 1aa87f415c7beb01bc2a03e87901a46d
Detection count: 42
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data\Windows
Group: Malware file
Last Updated: May 4, 2017
%ALLUSERSPROFILE%\Windows\csrss.exe File name: csrss.exe
Size: 937.99 KB (937997 bytes)
MD5: c3196c5cd9efe23bafde3c987a11fd03
Detection count: 42
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Windows
Group: Malware file
Last Updated: February 2, 2017
%ALLUSERSPROFILE%\Windows\csrss.exe File name: csrss.exe
Size: 1.95 MB (1951232 bytes)
MD5: 5ba67ca7810e2d629ea02f37cacbcf2f
Detection count: 35
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Windows
Group: Malware file
Last Updated: February 2, 2017
%ALLUSERSPROFILE%\Windows\csrss.exe File name: csrss.exe
Size: 2.05 MB (2050048 bytes)
MD5: 730b0b8834adfb9a50defc8605c9f669
Detection count: 28
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Windows
Group: Malware file
Last Updated: February 2, 2017
%ALLUSERSPROFILE%\Windows\csrss.exe File name: csrss.exe
Size: 1.01 MB (1019392 bytes)
MD5: 3eab70b9665b5c771b31070a88f64f6c
Detection count: 28
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Windows
Group: Malware file
Last Updated: February 2, 2017
%ALLUSERSPROFILE%\Csrss\csrss.exe File name: csrss.exe
Size: 1.08 MB (1089536 bytes)
MD5: c9af62171da7a019f96f964e479f0106
Detection count: 25
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Csrss
Group: Malware file
Last Updated: February 2, 2017
file.exe File name: file.exe
Size: 1.12 MB (1128200 bytes)
MD5: 84307f2217068875dd710248c6f5fedf
Detection count: 25
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%ALLUSERSPROFILE%\Drivers\csrss.exe File name: csrss.exe
Size: 887.29 KB (887296 bytes)
MD5: bf84c61c1dc271dfc4e9fb2a811601af
Detection count: 23
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Drivers
Group: Malware file
Last Updated: May 4, 2017
%ALLUSERSPROFILE%\Windows\csrss.exe File name: csrss.exe
Size: 947.57 KB (947578 bytes)
MD5: 1e140e77700af01f407c979bea72a570
Detection count: 21
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Windows
Group: Malware file
Last Updated: February 2, 2017
%ALLUSERSPROFILE%\windows\csrss.exe File name: csrss.exe
Size: 1.65 MB (1654272 bytes)
MD5: 4039c1e8c180688104b67c315473fdb4
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\windows
Group: Malware file
Last Updated: November 2, 2018
%APPDATA%\fcvsasas.exe File name: fcvsasas.exe
Size: 951.78 KB (951788 bytes)
MD5: bbcf995c22756a6a634a0f54bae05ea0
Detection count: 10
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: November 17, 2016
%ALLUSERSPROFILE%\Csrss\csrss.exe File name: csrss.exe
Size: 1.03 MB (1031680 bytes)
MD5: 89b3d4340686d28650420e04f58e6d56
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Csrss
Group: Malware file
Last Updated: December 9, 2019
%ALLUSERSPROFILE%\Windows\csrss.exe File name: csrss.exe
Size: 924.41 KB (924410 bytes)
MD5: 39782e4ecb1d8cac00ab9ab6ea4b916e
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Windows
Group: Malware file
Last Updated: April 25, 2020
file.js File name: file.js
Size: 6.42 KB (6422 bytes)
MD5: 63ba865c22863ef7d354634bace10166
Detection count: 0
File type: JavaScript file
Mime Type: unknown/js
Group: Malware file

More files

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%ALLUSERSPROFILE%\Application Data\Drivers\csrss.exe%ALLUSERSPROFILE%\Drivers\csrss.exe%ALLUSERSPROFILE%\Windows\csrss.exe

Related Posts

Loading...