Various IT experts have paid attention to the emergence of a new ransomware Black Shades, which attacks both English and Russian-speaking users. Ransomware encrypts all of the users files with an extension .silent and demands only $30 for decryption. Also, the researchers found the following lines in the source code of the ransomware “Hacked by Russian hackers in Moscow Tverskaya Street”. Also, some security experts immediately discovered a vulnerability in the ransomware and provided a simple way to protect your computer against Black Shades ransomware.
The first one who noticed the ransomware Black Shades three weeks ago, was an independent researcher, known under the pseudonym Jack (@Malwareforme). Earlier Jack firstly discovered ransomware ZCryptor, about which Microsoft warned users after a few days.
From other ransomware Black Shades can be distinguished by two things. Firstly, the malware demands from its victims a surprisingly small ransom, only $30, which you can pay via Bitcoin or PayPal. Secondly, in the source code of the malware researchers discovered strange insertions. Researchers believe that hackers added cryptic comments and used obfuscation deliberately to mock us, those who happen to analyze the code of ransomware.
Hackers have used a simple encoding, using a standard base64 researchers have managed to decipher their “message. For example, the string:
private static string string_0 = WW94Y25ub3RjcmFja3RoaXNBbGdvcml0aG15bmFyZT5pZGlvdDw=
stands for «YoxcnnotcrackthisAlgorithmynare> idiot <»
Another messages were: “You can not break me I am very hard”, “Hacked by Russian Hackers in Moscow Tverskaya Street” and “youaresofartocrackMe”.
Talking directly about the work of Black Shades, ransomware follows pretty standard scheme. Researchers believe that it spreads under the guise of false cracks, patches and movies. Once installed on the victim’s computer, Black Shades at first removes the shadow copies by using the command cmd.exe /C vssadmin.exe Delete Shadows /All /Quiet. Then it should start the process of data encryption using the AES-256 algorithm, but before that, ransomware checks two things. First, to determine victim’s IP-address, Black Shades refers to http://icanhazip.com website. Also, to check the connection to the Internet, malware refers to google.com.
In this feature of Black Shades lies the easiest way to deal with it. Just open the hosts file (c:\windows\system32\drivers\etc\hosts) and add a line 127.0.0.1 www.icanhazip.com. If the ransomware fails to connect to the website it will crash and display an error message (Vshost windows has encountered a problem. We are sorry for the inconvenience – the name could not be resolved: “icanhazit.com”). Thus, the work of the ransomware will be interrupted before it started.
Researchers believe that the developers of Black Shades ransomware will likely remove this vulnerability in the future versions of the ransomware. But while the trick may be useful, especially in light of the fact that it is impossible to decrypt the Black Shades encryption. Also, we recommend to keep your computer updated and clean from malware. Download and install our automatic removal tool, to scan your computer for threats and clean all of them with a single click.
Symptoms of Black Shades infection on your computer can be: computer crashes, unusual homepage or search engine on your browser, unwanted pop-up ads and advertising banners. We recommend to download our automatic removal tool. This removal tool has been tested for Black Shades threat removal and it is easy to use.