Hello, world!

This was a big week for ransomware news and analysis! Let’s start with Shade team’s GitHub dump and go from there!

Decryption keys from Shade

A group of individuals asserting to be responsible for the Shade strain of ransomware uploaded decryption keys and information on GitHub in the repository shade-team/keys.

The repo includes a fairly detailed README that concludes with a helpful note for those seeking to recover files encrypted by Shade ransomware:

If you have any difficulties we advice you to wait until the antivirus companies release more convenient utilities for the decryption. Or you can ask for the free help on one of the thematic forums.

Shade Decryptors

Per NoMoreRansom.org, both Kaspersky and McAfee have released decryptors. Infosec Twitter asserts that the decryptors work as expected.

Microsoft on Ransomware

Microsoft’s Threat Protection Intelligence Team has another excellent blog post about ransomware group techniques, including some comparisons between crews such as Maze, REvil/Sodinokibi and NetWalker:

READ Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk

My soon to be team at Microsoft just dropped this extremely in depth look at major ransomware groups.

The graphic should say it all but definitely worth a read.

You absolutely can protect your business from these very credible, real world threats. https://t.co/mJTVcaZ9wE

— Kevin Beaumont (@GossiTheDog) April 28, 2020

Ransomware Round-Up

• WIRED: The Covid-19 Pandemic Reveals Ransomware’s Long Game
• LockBit, the new ransomware for hire: a sad and cautionary tale
• Clop ransomware leaks ExecuPharm’s files after failed ransom
• Lucy malware for Android adds file-encryption for ransomware ops
• Ransomware mentioned in 1,000+ SEC filings over the past year | It looks like we are not the only ones poking around SEC filings for ransomware references.
  
• The Many Paths Through Maze | This is an excellent blog post from CrowdStrike that provides insight into their approach to reversing Maze ransomware samples.

/etc

Ransomware and BTC Tokens

Ransomware Tweet of the Week

Instead of the usual accept ToS and etc checkboxes, now a ransomware's help site has a "Do you agree our rules?" checkbox...
😂
"Do you agree that by submitting an application you have already replenished your Bitcoin wallet and you will not have problems with payment?" pic.twitter.com/HyJNvQ1OJz

— MalwareHunterTeam (@malwrhunterteam) April 28, 2020

FIN

Q: How do you say “ransomware” in Russian?

A: программы-вымогателя

The site context.reverso.net includes the English and Russian translations for several phrases including the term ransomware.