Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Decrypt Files Encrypted by Shade .Xtbl Ransomware

ransomware-encryption-explained-stockhoto-stforumFile extensions .better_call_saul;.breaking bad;.heisenberg;.xtbl;.ytbl are just some of the expansions associated with the nasty Shade ransomware virus. There have been many variants ever since one of the first CrySiS variant has appeared, and many have the reason to believe that all variants associated with this virus have been created by the very same hacking team for one thing – profit. Malware researchers continue to discover even newer variants of the virus, all with different modifications distinguishable to them. The good news is that Kaspersky malware researchers have successfully created ransomware decryptor for the Share ransomware which should be able to recover files encoded by this virus successfully. This is where we have decided to create instructions on how to use Kaspersky’s Shade Decryptor and hopefully decrypt your files in case they have been encoded by this crypto virus.

Shade Ransomware – A Bit Of Background

The Shade also known as Troldesh Ransomware is a virus that has been first detected in September 2015. Back then, the virus used the discontinued now Nuclear Exploit Kit to infect users on a massive scale. Nuclear EK is now dead, but Shade is long from being that. Many new variants of this virus have now appeared, and they use new techniques, like modified EK and even brute forcing to infect your computer. Here are some of the viruses related to Shade:

These many viruses may be very different, but there are several symptoms like the encryption used, the files created by them and some folders they are dropped in, that unify them, driving researchers into believing that they are all Trolldesh / Shade ransomware variants. Luckily Kaspersky has released a decryptor for those viruses and victims by them may be in luck.

Shade Ransomware – Removal and Decryption Instructions

Phase 1 – Removal

Before you attempt any form of decryption, it is advisable that you remove this virus from your computer firstly, to be safe. We have provided a fast removal manual that will help you locate and delete the files of the Shae ransomware virus before starting the decryption process.

Manually delete Shade Ransomware from your computer

Note! Substantial notification about the Shade Ransomware threat: Manual removal of Shade Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Shade Ransomware files and objects
2. Find malicious files created by Shade Ransomware on your PC
3. Fix registry entries created by Shade Ransomware on your PC

Automatically remove Shade Ransomware by downloading an advanced anti-malware program

1. Remove Shade Ransomware with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Shade Ransomware in the future

Phase 2 – Decryption

After you have removed this nasty ransomware, you should follow the bellow mentioned steps to try and decrypt files encrypted by Shade ransomware.

Step 1: Prepare your computer to stay awake and not automatically turn off during scan by doing the following:

1)Click once on the icon for the power (battery icon) in your system tray that is located next to your clock in the bottom right. After this, a menu will appear and on it click on More Power Options.
2)After the Power Options menu shows up, click on Change Plan Settings to open the settings.
3)In there, make sure you set everything from “Turn off the display” to “Put Computer to Sleep” in all modes to “Never”.
4)Now go to “Change Advanced Plan Settings” and go to the expanding “Hard Disk” setting from the list and set it’s settings to “Never” as well.

Step 2: Download the Kaspersky Shade Decryptor by clicking on the button below and save the archive on your computer.

Download

Kaspersky Shade Decryptor

1-shade-decryptor-download-sensorstechforum

Step 3: Open the archive. For this, you need an archive reading program like the free WinRar, for example. Extract the ShadeDecryptor.exe file somewhere where you can easily locate it:

2-shade-decryptor-extract-sensorstechforum

Step 4: Open the decrypter and click on the Start Scan button to open the file explorer:

3-shade-start-scan-button-sensorstechforum

Step 5: Choose an encrypted file and click on Open after which the decryptor should begin looking for keys corresponding to your computer. Be advised that you need to be patient since this process may take from hours up to days.

3.2-encrypted-file-shade-ransomware-sensorstechforum

4-decrypting-shade-ransomware

Shade Ransomware Decryption – Conclusion and Tips

Keep in mind that if you are to try this process, you should try it on a safe PC and more importantly you should make copies of the encrypted files. This is because some versions of Shade ransomware, like the CrySiS virus have been reported to use a defensive CBC mechanism that breaks the files if a third-party decrypter attempts to decode them. This is why it is almost imperative that you make copies of the files you are trying to decode.

We also advise that you keep in mind how you store your data in the future:

Safely Store Your Important Files and Protect Them From Malware

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

  • Manish Singh

    The kaspersky Shade decryptor does not work. It even cannot identify that the file is encrypted.

    • Hello, Manish, it is very unfortunate that it does not work for you. Since your variant may be diferent than the conventional Shade viruses, I urge you to try EmsiSoft’s decrypter:

      https://decrypter.emsisoft.com/globe

      Get back to us with your experience!

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.