Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook

s expands ransomware u shade targets

tarekma7Shade Ransomware Expands to U.S. Targets
[Image: Ransomware_Lock.jpg]

Quote:Coming to America: The Shade ransomware, which has historically targeted Russian victims, was recently spotted expanding its sights.

Shade, a ransomware known to target Russian victims, has been spotted in several recent campaigns scoping out new locations – including in the U.S. and Japan.

The ransomware, first spotted in late 2014 by Kaspersky Lab researchers, has been known for focusing on Russian victims – but more recent cyberattacks indicate that the majority of Shade ransomware executables are targeting users outside of Russia.

“In fact, our research shows that the top five countries affected by Shade ransomware are not Russia or nations of the former Soviet Union; they are the United States, Japan, India, Thailand, and Canada,” said Brad Duncan, researcher with Palo Alto Networks’ Unit 42 group in a Wednesday analysis.

Meanwhile, “Russia only occurs at number seven, and the only other country we found in the top ten where Russian is an official language is Kazakhstan, at number 10. The top industries attacked in these countries were high-tech, wholesale and education.”

[Image: Figure-1.-Desktop-of-a-Windows-host-infe...omware.png]

Ransomware Campaigns

The Shade ransomware is spread through malspam emails. In a recent February 2019 campaign for instance, the emails touted a link to an archive, archive attachment or attached PDF with a link to an archive, disguised as an invoice or bill.

These links and attachments lead to a Javascript or other script-based file that is designed to retrieve the Shade executable file.shade ransomware message

Interestingly, the payload remains “remarkably consistent” since its discovery in 2014, researchers said.

“When a Windows host is infected with Shade ransomware, its desktop background announces the infection, and 10 text files appear on the desktop, named README1.txt through README10.txt,” researchers said.

The desktop background message reads: “Attention! All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.”

All of the README.txt files say the same thing: That is, asking users to send a code to an email address, which would then instruct them on how to make the payments.

New Targets

Recent malicious Shade emails are being sent to various countries other than Russia, indicating that the ransomware developers are looking to expand the breadth of their victim sets.

“We wouldn’t say this represents a switch in focus as much as another piece of the overall campaign over time and geography,” Bradley Duncan, Threat Intelligence Analyst for Unit 42 at Palo Alto Networks, told Threatpost. “Ultimately, attackers go where they think the money is and these attackers would seem to feel these countries may represent lucrative targets in the time we observed these attacks.”

Researchers conducted a deeper analysis between January through March 2019, tracking attempted deliveries of the Shade ransomware executable during an infection chain, focusing on packed executable (PE) files sent through a URL over TCP port 80.

Researchers found that the U.S. saw the most number of attempts to inject systems with Shade  (outpacing Japan, India and Thailand).

The top country with Shade ransomware infshade ransomware ection attempts among our customer base was the United States,” according to Palo Alto. “The vast majority of these URLs hosting Shade ransomware executables were reported from customer devices outside of Russia and Russian-language countries.”

Meanwhile, the most common targets for Shade ransomware infection attempts were organizations in the high-tech category. Wholesale and retail, along with education and telecommunications, were also popular targets.

While researchers acknowledged that their results may be skewed towards English due to Palo Alto’s customer base from which it gathers its telemetry, “the analysis still “indicates Shade ransomware is very active outside of Russia and possibly targeting more English-speaking victims than Russian.”

“Attacks can be like sharks: they evolve as much as is needed to be effective,” Duncan told Threatpost. “When they reach a level of effectiveness that doesn’t require further evolution, they can stop evolving. Given that, it is reasonable to conclude that we will see Shade attacks continue.”


Possibly Related Threads…
Thread Author Replies Views Last Post
Information Zebrocy Infects Targets with New Golang-Based Backdoor via Dropbox Mohammad.Poorya 0 84 09-24-2019 , 06:52 PM
Last Post: Mohammad.Poorya
  Shade Ransomware extension .crypted000007 - Demonstration of attack video review baziroll 0 470 05-19-2017 , 01:27 PM
Last Post: baziroll

Forum Jump:

Users browsing this thread: 1 Guest(s)