File extensions .better_call_saul;.breaking bad;.heisenberg;.xtbl;.ytbl are just some of the expansions associated with the nasty Shade ransomware virus. There have been many variants ever since one of the first CrySiS variant has appeared, and many have the reason to believe that all variants associated with this virus have been created by the very same hacking team for one thing – profit. Malware researchers continue to discover even newer variants of the virus, all with different modifications distinguishable to them. The good news is that Kaspersky malware researchers have successfully created ransomware decryptor for the Share ransomware which should be able to recover files encoded by this virus successfully. This is where we have decided to create instructions on how to use Kaspersky’s Shade Decryptor and hopefully decrypt your files in case they have been encoded by this crypto virus.
Shade Ransomware – A Bit Of Background
The Shade also known as Troldesh Ransomware is a virus that has been first detected in September 2015. Back then, the virus used the discontinued now Nuclear Exploit Kit to infect users on a massive scale. Nuclear EK is now dead, but Shade is long from being that. Many new variants of this virus have now appeared, and they use new techniques, like modified EK and even brute forcing to infect your computer. Here are some of the viruses related to Shade:
- Savepanda@india.com Ransomware
- Malevich Ransomware
- Fantom Ransomware
- Ramachandra7@india.com Ransomware
- Siddhiup2@india.com Ransomware
- Legioner_seven@aol.com Ransomware
- Seven_legion@aol.com Ransomware
- Space_rangers@aol.com Ransomware
- Diablo_diablo2@aol.com Ransomware
- Cyber_baba2@aol.com Ransomware
- Batman_good@aol.com Ransomware
- Melme@india.com Ransomware
- Masterlock@india.com Ransomware
- Supportfriend@india.com Ransomware
- Calipso.firstname.lastname@example.org Ransomware
- Centurion_Legion Ransomware
- Better_Call_Saul Ransomware.
- Da_Vinci_Code Ransomware.
- Veracrypt Ransomware.
- DrugVokrug727 Ransowmare.
- Grand_car Ransomware.
- Meldonii Ransomware.
- Makdonalds Ransomware.
- SystemDown Ransomware.
- Radxlove7 Ransomware.
- Redshitline@india.com Ransomware.
These many viruses may be very different, but there are several symptoms like the encryption used, the files created by them and some folders they are dropped in, that unify them, driving researchers into believing that they are all Trolldesh / Shade ransomware variants. Luckily Kaspersky has released a decryptor for those viruses and victims by them may be in luck.
Shade Ransomware – Removal and Decryption Instructions
Phase 1 – Removal
Before you attempt any form of decryption, it is advisable that you remove this virus from your computer firstly, to be safe. We have provided a fast removal manual that will help you locate and delete the files of the Shae ransomware virus before starting the decryption process.
Manually delete Shade Ransomware from your computer
Note! Substantial notification about the Shade Ransomware threat: Manual removal of Shade Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.
Automatically remove Shade Ransomware by downloading an advanced anti-malware program
Phase 2 – Decryption
After you have removed this nasty ransomware, you should follow the bellow mentioned steps to try and decrypt files encrypted by Shade ransomware.
Step 1: Prepare your computer to stay awake and not automatically turn off during scan by doing the following:
1)Click once on the icon for the power (battery icon) in your system tray that is located next to your clock in the bottom right. After this, a menu will appear and on it click on More Power Options.
2)After the Power Options menu shows up, click on Change Plan Settings to open the settings.
3)In there, make sure you set everything from “Turn off the display” to “Put Computer to Sleep” in all modes to “Never”.
4)Now go to “Change Advanced Plan Settings” and go to the expanding “Hard Disk” setting from the list and set it’s settings to “Never” as well.
Step 2: Download the Kaspersky Shade Decryptor by clicking on the button below and save the archive on your computer.
Step 3: Open the archive. For this, you need an archive reading program like the free WinRar, for example. Extract the ShadeDecryptor.exe file somewhere where you can easily locate it:
Step 4: Open the decrypter and click on the Start Scan button to open the file explorer:
Step 5: Choose an encrypted file and click on Open after which the decryptor should begin looking for keys corresponding to your computer. Be advised that you need to be patient since this process may take from hours up to days.
Shade Ransomware Decryption – Conclusion and Tips
Keep in mind that if you are to try this process, you should try it on a safe PC and more importantly you should make copies of the encrypted files. This is because some versions of Shade ransomware, like the CrySiS virus have been reported to use a defensive CBC mechanism that breaks the files if a third-party decrypter attempts to decode them. This is why it is almost imperative that you make copies of the files you are trying to decode.
We also advise that you keep in mind how you store your data in the future: