SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Shade Ransomware (Oct 7th, 2016)


The Dell Sonicwall Threats Research team have observed a Ransomware Trojan that has been in existence for over a year and is still actively spreading in the wild. It spreads via malicious websites that use exploit kits and also infected email attachments. It is believed to be Russian in origin and has spread mostly in Russia.

Infection Cycle:

The Trojan uses the following icon:

Below is a sample of DNS queries made by the Trojan:

The Trojan adds the following keys to the registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Client Server Runtime Subsystem %ALLUSERSPROFILE%\Application Data\Windows\csrss.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetworkSubsystem %ALLUSERSPROFILE%\Application Data\Csrss\csrss.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CSRSS %ALLUSERSPROFILE%\Application Data\Drivers\csrss.exe

The Trojan adds the following files to the filesystem:

  • %USERSPROFILE%\Local Settings\Temp\04C7E0EC.exe [Detected as GAV: FileCryptor.LJR (Trojan)]
  • %USERSPROFILE%\Local Settings\Temp\ADADBC6C.exe [Detected as GAV: FileCryptor.GAP (Trojan)]
  • %ALLUSERSPROFILE%\Application Data\Csrss\csrss.exe [Detected as GAV: FileCryptor.LJR (Trojan)]
  • %ALLUSERSPROFILE%\Application Data\Drivers\csrss.exe [Detected as GAV: FileCryptor.LJR (Trojan)]
  • %ALLUSERSPROFILE%\Application Data\Windows\csrss.exe [Detected as GAV: FileCryptor.LJR (Trojan)]

The readme files contain the following message:

      All the important files on your computer were encrypted.
      To decrypt the files you should send the following code:
      to e-mail address .
      Then you will receive all necessary instructions.
      All the attempts of decryption by yourself will result only in irrevocable loss of your data.
      If you still want to try to decrypt them by yourself please make a backup at first because
      the decryption will become impossible in case of any changes inside the files.
      If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
      use the feedback form. You can do it by two ways:
      1) Download Tor Browser from here:
      Install it and type the following address into the address bar:
      Press Enter and then the page with feedback form will be loaded.
      2) Go to the one of the following addresses in any browser:

The links have been blocked at the time of writing this alert.

After each DNS request it makes the following HTTP GET request to each host:

The C&C server is located on the tor network where all communication is encrypted. An RSA-3072 public key is requested from the server:

The Trojan will then search the filesystem for files with predefined extensions and encrypt them using the RSA-3072 public key. Upon encrypting files it renames them using a filename similar to the following with a da_vinci_code extension:

  • WY4BA86OCcwPVkbdji2JiS888iAqO7jOnXtXvJtekBU=.0E7F1123D9BE734AF274.da_vinci_code

After encrypting these files it displays the following message on the desktop background:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

      GAV: Shade.A (Trojan)
      GAV: FileCryptor.LJR (Trojan)
      GAV: FileCryptor.GAP (Trojan)

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2019 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 14.6 | S2MSW03