The operators of the Troldesh ransomware (aka Shade or Encoder.858) have announced they shut down the operation and are releasing to the public over 750,000 decryption keys, as well as their decryption software to help victims to recover their data.
The Troldesh ransomware, which has been active since 2014, is considered one of the most dangerous threats. It is associated with Russian-speaking actors and, like many other ransomware families, has been distributed mostly through malicious spam (malspam) and exploit kits.
“Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all). We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools,” the Troldesh crew said in a message posted on GitHub.
The ransomware authors also said that they stopped the distribution of the malware in late 2019, and that other data related to the operation, including the source codes of the trojan, has been destroyed.
The team has provided mirrors for downloading decryption keys:
- https://yadi.sk/d/36uVFJ6bUBrdpQ (all the keys separately; all the keys in a zip; software)
- https://cloud.mail.ru/public/5gy6/4UMfYqAp4 (all the keys separately; all the keys in a zip; software)
- https://drive.google.com/open?id=1iA2KquslytIE83mwzlXPcL3u8Z0yoqat (all the keys in a zip; software)
- https://github.com/shade-team/keys (all the keys separately)
- https://github.com/shade-binary/bin (software)
The researchers at Kaspersky Lab have confirmed the validity of leaked keys and are now working on developing decryption tools.