{"id":12661,"date":"2016-07-25T08:00:33","date_gmt":"2016-07-25T12:00:33","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=12661"},"modified":"2021-03-17T10:32:12","modified_gmt":"2021-03-17T14:32:12","slug":"shade-decryptor","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/shade-decryptor\/12661\/","title":{"rendered":"No More Ransom"},"content":{"rendered":"

Last year, we joined forces with Dutch law enforcement to launch the NoRansom<\/a> website, which helps victims of CoinVault ransomware restore access to their data. Later, we enhanced the website with a couple of other free tools to restore files encrypted by other cryptors such as TeslaCrypt, CryptXXX, and others like them.<\/p>\n

Today we\u2019re taking another big step in our crusade against ransomware. Together with the Dutch police, Europol, and Intel Security, we created NoMoreRansom.org<\/a>, a website where we plan to aggregate the widest selection of decryptors available anywhere.<\/p>\n

We are starting by adding another virus cure to the website \u2014 one to help victims of Shade ransomware<\/a> to restore their files. We offer it, like the others, free of charge.<\/p>\n

Shade<\/h3>\n

Shade is a family of ransomware cryptors that emerged in early 2015. Shade Trojans use malicious spam or exploit kits<\/a> as primary attack vectors. The latter is the more hazardous method because a victim does not have to open any files \u2014 a single visit to an infected website does the trick.<\/p>\n

When the ransomware infiltrates a victim\u2019s system, the Trojan requests an encryption key from the criminal\u2019s command-and-control (C&C) server \u2014 or, should the server be unavailable, uses one of the keys embedded in advance. That means, even if the PC is disconnected from the Internet, the ransomware functions, provided it\u2019s already in the system.<\/p>\n

The malware then starts encrypting files. It affects more than 150 formats, including Microsoft Office files, images, and archives. When encrypting, Shade adds a .xtbl or .ytbl extension to the file name. Once the encryption process is complete, a ransom note appears on the screen.<\/p>\n

\"Shade<\/a><\/p>\n

As if the file encryption was not bad enough, the ransomware continues on its rampage: While the victim panics and searches for a decryptor \u2014 or money for ransom \u2014 Shade keeps busy, downloading other malware onto the compromised PC.<\/p>\n

Get the free decryptor<\/h3>\n

If you were unlucky enough to fall victim to Shade, we have a spot of good news for you: We can spare you the temptation to pay ransom to get your encrypted files back. Here\u2019s what to do:<\/p>\n

1. Go to NoMoreRansom.org<\/a>.<\/p>\n

2. Scroll down and find the two download buttons for decryptors. You may choose the decryptor from Intel Security or Kaspersky Lab. The following instructions are for our own decryptor, however.<\/p>\n

3. Unzip the downloaded file, ShadeDecryptor.zip.<\/p>\n

4. Run ShadeDecryptor.exe<\/b>.<\/p>\n

5. In the Kaspersky ShadeDecryptor window, click Change Parameters<\/b>.<\/p>\n

\"Shade<\/a><\/p>\n

6. Choose which drives the utility should check for encrypted files.<\/p>\n

7. In the same window, you may also choose \u201cDelete crypted files after decryption,\u201d but we do not recommend doing that until you are 100% sure your files have been restored.<\/p>\n

\"Shade<\/a><\/p>\n

8. Click \u201c\u041e\u041a\u201d to return to the main screen. Click Start scan<\/b>.<\/p>\n

\"Shade<\/a><\/p>\n

9. In the \u201cSpecify the path to one of encrypted files\u201d window, choose one of the encrypted files and click \u201cOpen.\u201d<\/p>\n

10. If the utility says it cannot automatically detect the victim\u2019s ID, specify the file path to the readme.txt<\/b> file, which is essentially the ransom note and which contains the ID in question.<\/p>\n

Now your files should be decrypted. Enjoy the money you just saved! And to protect yourself from ransomware attacks in the future, use a robust security solution, such as Kaspersky Internet Security<\/a>. For additional guidance on ransomware check out this post<\/a>.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Good news, everyone! We have help for victims of Shade ransomware. Now you can decrypt the data without paying ransom.<\/p>\n","protected":false},"author":421,"featured_media":12662,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7,2683,9],"tags":[1680,1733,1735,1734,420,1732,723],"class_list":{"0":"post-12661","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-products","8":"category-threats","9":"category-tips","10":"tag-cryptors","11":"tag-decryptors","12":"tag-manual","13":"tag-nomoreransom","14":"tag-ransomware","15":"tag-shade","16":"tag-trojans"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/shade-decryptor\/12661\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/shade-decryptor\/7441\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/shade-decryptor\/7470\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/shade-decryptor\/7427\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/shade-decryptor\/8770\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/shade-decryptor\/8664\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/shade-decryptor\/12591\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/shade-decryptor\/2277\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/shade-decryptor\/5903\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/shade-decryptor\/6426\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/shade-decryptor\/8305\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/shade-decryptor\/12072\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/shade-decryptor\/12591\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/shade-decryptor\/12661\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/shade-decryptor\/12661\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/cryptors\/","name":"cryptors"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12661","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/421"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=12661"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12661\/revisions"}],"predecessor-version":[{"id":39060,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12661\/revisions\/39060"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/12662"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=12661"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=12661"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=12661"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}