Remove BlackShades Ransom Trojan and Restore the Encrypted Files - How to, Technology and PC Security Forum |

Remove BlackShades Ransom Trojan and Restore the Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

trojanA very dangerous RAT(Remote Access Trojan) has been reported to have capabilities to hold the computers of its victims for ransom. The Trojan has been reported to be spread primarily in North America and the UK. It has been the reason for over 100 arrests conducted by the law enforcement agencies, seizing over 1000 storage devices, SC Magazine reports. Users who have had their computers locked by BlackShades ransomware Trojan are strongly advised not to pay any ransom money and to seek alternative methods, such as the ones in this article to remove this Trojan and Restore the encrypted files.

Threat Summary

TypeRemote Access Trojan with file encryption capability.
Short DescriptionThe ransomware encrypts files with a strong cipher and asks a ransom payment for decryption. Also steals information and may perform remote control activities on the infected machine.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom may show as a text file or a wallpaper.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by BlackShades


Malware Removal Tool

User ExperienceJoin our forum to Discuss Locky Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

BlackShades Ransom Trojan – Distribution

This Trojan is remote access, which means that it uses an active connection by opening up a port and establishing a connection to the cybercriminal’s control server. To infect users and establish this connection, the Trojan uses the following malicious executable, detected by ESG researchers:

→ File Name: WinSecurity.exe
Size: 241,152 KB
MD5: 45beca45fc84cfea06cfc50490a222ba

Researchers believe that this executable may be distributed along fake setups of programs downloaded from shady third-party locations. However, another scenario suggests that the file may be in an obfuscated form and could be distributed in an archive uploaded online or via spam e-mail messages. Either way, users are strongly advised to follow the usual security tips to protect themselves against ransomware in the future.

BlackShades Ransom Trojan In Detail

Once activated on the computer, the WinSecurity.exe file may establish a connection to the C&C server of the cyber-criminals. From there, the Trojan may send the following information to them:

  • Operating system installed.
  • Hardware specs.
  • Browsing history.
  • Network information.
  • Passwords.

After this has been completed, the Trojan may disable any antivirus or anti-malware software that might be actively running. In addition to that the Trojan may provide the cyber criminals administrative access to your computer. Most RATs have even options which they give to the crooks, such as encrypting files. If the people behind the BlackShade Crypter Ransomware decide it is time to encrypt your files, they may execute a remote command that will make the malicious file to scan for different files to encrypt, for example:


The encrypted files may have various file extensions added to them, and they are unable to be opened. In addition to that, the ransomware may lock the user out of his computer completely by modifying settings in the Windows Registry Editor.

Besides encrypting possibilities, the Trojan has been reported to be associated with the following files:

  • dos_sock.bss
  • nir_cmd.bss
  • pws_cdk.bss
  • pws_chro.bss
  • pws_ff.bss
  • pws_mail.bss
  • pws_mess.bss

In addition to that, users may notice the Trojan’s presence by the following symptoms:

  • The cursor of the mouse moves without being moved.
  • The light of the web camera of the user becomes active.
  • The monitor of the user turns off during usage.
  • The usernames and passwords on the infected PC are changed.
  • The files are unable to be opened, and a ransom note has been left for the unlocking of the files.

Researchers have reported that BlackShades is a very nasty cyber-threat because, besides having the ability to hold your files locked until you pay a hefty “fee,” the virus can also steal all of the information from infected PCs. If you become a “lucky winner” of the ransomware, bear in mind that you should immediately switch of your internet connection.

Remove BlackShades Ransomware Trojan and Restore the Encrypted Files

To remove this ransomware in full from your computer, you need to isolate it first. This means that you should boot your computer into safe mode to disable any third-parties running and from there, start the removal process. We suggest that you follow the removal instructions below, to delete the Trojan. Due to the complicatedness of the situation, experts advise using an advanced anti-malware tool to help you with the detection of all the registry entries and the files s this ransomware has dropped and modified on your computer.

If you have had your files encoded by the ransomware, we advise you to try using the file restoration alternatives In step “3. Restore files encrypted by BlackShades” while you wait for a decryptor to be released. Once a decryptor has been released, we will update this article with a download URL.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share