The Shade (Troldesh) ransomware operators have shut down and they released more than 750,000 decryption keys which can be used by their earlier victims to decrypt their files.
The security researchers at Kaspersky Lab confirmed the validity of the released keys and they are planning to create a free decryption tool.
The Shade operators posted a message in the GitHub repository explaining their decision to release the decryption key.
The message states that they are the team that created a trojan-encryptor known as Shade, Troldesh or Encoder.858. They stopped the distribution by the end of 2019 and now they have decided to publish all the decryption keys in hand which comes to more than 750 thousand. They also stated that they are publishing the decryption soft, hoping that with the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to their activity (including the source codes of the trojan) was irrevocably destroyed. They also apologize to all the trojan victims and hope that the keys published will help them to recover their data.
However, the Shade operators did not explain the reason for their shut down.
Shade ransomware was one of the oldest ransomware strains, first spotted in 2014 and operating almost non-stop until it shut down last year.
It was also one of the most active ransomware operations being distributed through a combination of email spam campaigns and exploit kits.
However, the ransomware was not perfect and during its lifetime multiple decryption apps were released by the security researchers from Kaspersky and Intel Security (now McAfee) that could help victims recover files. But, the decryptors worked only against a small number of Shade versions, and the tools were lastly released in 2017.
The decryption keys released today are believed to account for all versions of the ransomware and it will help all users who had their files encrypted by the Shade ransomware.
But it is necessary that the users must still have the encrypted files laying around, so they can be decrypted.
The security experts advice all users to save the ransomware-encrypted files on an offline hard drive. But most victims simply reinstall their computer, deleting the encrypted data. But those who saved their encrypted files can now recover data which was once considered lost.