Shade Ransomware

Posted: September 24, 2015

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	19,819
Threat Level:	10/10
Infected PCs:	11,479

First Seen:	September 23, 2015
Last Seen:	February 13, 2025
OS(es) Affected:	Windows

The Shade Ransomware is a file encryption Trojan, or a Trojan that encrypts your files to make them unreadable. These attacks normally are followed by ransom demands for transferring money to 'buy' a decryption key for reversing the attack. Because of the suspect reliability and sheer illegality of these transactions, malware researchers advise using other solutions, such as deleting the Shade Ransomware with any anti-malware scanner, and then restoring your files from a secure backup.

Shades of an Old Tactic Still Profiteering

Russia is notable for its intractability to military invasion, but, in contrast, has become a fertile hotbed for another kind of war: the development and distribution of threats. The Shade Ransomware is one of the newest file encryptors to take advantage of the Russian legal climate. Unlike the products of more paranoid threat authors, the Shade Ransomware targets its attacks at Russian residents, as well as at English-speaking PC owners. Currently, malware researchers anticipate the abuse of e-mail spam for delivering the Shade Ransomware to victims with compromised addresses.

The Shade Ransomware's main payload operates in a method similar to that of other file encryptors, like DESKRYPTEDN81 Ransomware (also conducting campaigns in the same region). The Shade Ransomware scans the victim's hard drive for files falling under specific formats, such as GIF images or TXT text files, and modifies them with a simple encryption attack. This encryption blocks relevant programs from opening and reading these files, although all data is, in theory, recoverable.

Following this attack, the Shade Ransomware uses a combination of images and text instructions to deliver a ransom note and demands for you to contact an included e-mail address where you will find out how to transfer payment. Ransoms from the Shade Ransomware attacks may reach sums of up to 500 USD. Like similar threats, the Shade Ransomware also claims to be programmed to delete your files after you try to use other methods of data recovery. Malware analysts haven't confirmed this function, which may be a bluff.

No matter what nation you live in, file encryptors are threats best dealt with by using habitual, standardized means of data protection. Placing your files on a Cloud storage server or an unconnected device (such as any USB 'thumb' drive) can place them out of reach of the Shade Ransomware's attacks. Freeware file decryptors also are made available by various PC security institutions, and can provide some means of data recovery for PC users who failed to backup their information beforehand. Without any surety that the Shade Ransomware's perpetrators will honor their word, paying their ransom can be assumed to be self-destructive, at best.

PCs compromised by this threat should receive scans from their anti-malware products with all due attempts made to minimize any interferences by other threats. The Shade Ransomware hasn't been seen using other attacks of any note, but malware experts often see file encryptors supported by additional 'wingman' threats, such as backdoor Trojans. The lack of any further file-encrypting attacks shouldn't be assumed to be a sign of the Shade Ransomware's successful removal until your anti-malware solutions can verify your PC's health.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

doc.exe

File name: doc.exe
Size: 557.84 KB (557843 bytes)
MD5: dfcd797a1ffdab6dbedafe190d0992ad
Detection count: 52
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 11, 2015

file.exe

File name: file.exe
Size: 1.12 MB (1128200 bytes)
MD5: 84307f2217068875dd710248c6f5fedf
Detection count: 25
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

%ALLUSERSPROFILE%\windows\csrss.exe

File name: csrss.exe
Size: 1.65 MB (1654272 bytes)
MD5: 4039c1e8c180688104b67c315473fdb4
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\windows
Group: Malware file
Last Updated: November 2, 2018

%APPDATA%\fcvsasas.exe

File name: fcvsasas.exe
Size: 951.78 KB (951788 bytes)
MD5: bbcf995c22756a6a634a0f54bae05ea0
Detection count: 10
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: November 17, 2016

file.js

File name: file.js
Size: 6.42 KB (6422 bytes)
MD5: 63ba865c22863ef7d354634bace10166
Detection count: 0
File type: JavaScript file
Mime Type: unknown/js
Group: Malware file

More files

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%ALLUSERSPROFILE%\Application Data\Drivers\csrss.exe%ALLUSERSPROFILE%\Drivers\csrss.exe%ALLUSERSPROFILE%\Windows\csrss.exe