The malicious actors behind Shade ransomware made an unusual announcement on GitHub, not only publishing all 750,000 decryptor keys for the malware but apologizing for their criminal actions.<\/p>\n
\u201cWe are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019.\u201d the operators purportedly\u00a0posted<\/a>. \u201cAll other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.\u201d<\/p>\n Each key decryptor likely represents one attack making Shade particularly virulent during its time. The group gave no reason for its sudden change of heart and Shahrokh Shahidzadeh, CEO at Acceptto, said the reasoning doesn\u2019t matter.<\/p>\n \u201cNet-net this is a great win for the good guys. No matter what the motives of the operators of the Shade (Troldesh) ransomware, we will take it,\u201d he told SC Media. \u201cWhile this might mean that they are out of the game for good, it\u2019s not the first time that a group of attackers has torn down their infrastructure and gone dormant only to resurface later using different infrastructures and the same set of tools.\u201d<\/p>\n In addition to supplying the keys the group posted detailed instructions along with a note that if a victim still has problems decrypting their files to wait for the security companies to post tools to better utilize the information provide. It was also noted that some of the published software is detected by some antiviruses because it uses common code blocks with the encryptor. To avoid the deletion of them all the .exe files were zipped by the gang with the same password: 123454321.<\/p>\n \u201cI also noticed that they have posted decryption tools on their repositories. Given their past history, my advice is not to use those tools as it is a risk that most organizations and individuals should not take,\u201d Shahidzadeh said. \u201cInstead, I recommend waiting until trusted actors ,such as AV companies, produce a decryption tool.\u201d<\/p>\n Shade was heavily used from about January 2019 through November 2019 with attacks trailing off starting in January 2020, which would support the gang\u2019s claim that it halted distribution late last year.<\/p>\n Whether or not Shade is stepping aside remains to be see. The\u00a0Gandcrab\u00a0<\/a>ransomware gang posted a retirement notice in June 2019 but recent reports have the threat actors re-emerging under the\u00a0Sodinokibi\u00a0<\/a>moniker.<\/p>\n