Written by Mickael S. and Tanya K.
Last week, SenseCy analysts happened upon a new sample of Shade ransomware, also known as Troldesh, which uses a no_more_ransom extension for encrypted files. This ransomware is far from famous, lacking the glorious aura of its rivals, Locky and Cerber. The NoMoreRansom project released a decryption tool for Shade in the summer, but apparently it is not suitable for this new Shade variant, and turns it into an even more damaging ransomware that it was before.
This variant (which ironically uses a no_more_ransom extension) was delivered in a taxes-themed spam email message in Russian in early December 2016, and according to comments on Russian-language technical support forums, it became active in the last week of November. Interestingly, all the infection victims mentioned some accounting-themed spam messages that led to the infection when inadvertently opened. Even more interestingly, the victims also claimed that all 1C (an accounting software popular in Russian) databases were encrypted after the infection.
Ostensibly, this Shade variant targets mainly Russian users, however the ransom message appears in English as well, suggesting possible future attacks outside of Russia.
An excerpt of the obfuscated code:
Once the JS script is executed, it will try to download the malicious file from two sources: either from 184.108.40.206 IP address (theacornalliance.org) or from 220.127.116.11 IP address (d-v.by). Then, the helpconfig.exe is downloaded to the infected PC.
The file is dropped into the following path: %AppData%\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\643WD09Y\helpconfig.exe
In fact, helpconfig.exe file serves as an installer, where the payload hides itself (using nullsoft installer).
Once helpconfig.exe is executed, it will extract the following files:
And create several registry keys:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem
It will then create a copy of itself under the process name csrss (a legitimate Windows process, whose removal will result in a Blue Screen of Death)
After these steps, the malware will try to connect to some C&C servers (part of which are TOR nodes):
- 25.193.9 (ehlo.4711.se) – a TOR node
- 73.17.194 (turtles.fscked.org)
- 35.32.5 (faravahar.rabbani.jp)
- 31.0.39 (belegost.csail.mit.edu)
- 83.223.34 (rgnx.net) – a TOR node
At this point, the encryption process starts.
The encryption message:
In the README.txt file, the victim is instructed to contact lukyan.sazonov26[at]gmail.com to receive further instructions. This email address was previously associated with the Da Vinci ransomware, which served as inspiration for Shade ransomware.