{
	"id": "0a3108ac-33e5-42ed-9df3-8af53861421c",
	"created_at": "2026-04-06T01:31:55.886119Z",
	"updated_at": "2026-04-10T03:20:57.563448Z",
	"deleted_at": null,
	"sha1_hash": "9d69fa7b205daea5bae3487f59968a6d7358baf9",
	"title": "Russia hit by new wave of ransomware spam",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 416232,
	"plain_text": "Russia hit by new wave of ransomware spam\r\nBy Juraj Jánošík\r\nArchived: 2026-04-06 00:55:55 UTC\r\nESET Research\r\nAmong the increased number of malicious JavaScript email attachments observed in January 2019, ESET\r\nresearchers have spotted a large wave of ransomware-spreading spam targeting Russian users\r\n28 Jan 2019  •  , 5 min. read\r\nJanuary 2019 has seen a dramatic uptick in detections of malicious JavaScript email attachments, an attack vector\r\nthat mostly lay dormant throughout 2018.  Among the “New Year edition” of malicious spam campaigns relying\r\non this vector, we have detected a new wave of Russian-language spam that distributes ransomware known as\r\nShade or Troldesh, and detected by ESET as Win32/Filecoder.Shade.\r\nThe campaign appears to be a follow-up to a malicious spam campaign that started distributing the Shade\r\nransomware in October 2018.\r\nThe January 2019 campaign\r\nhttps://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/\r\nPage 1 of 8\n\nOur telemetry shows the October 2018 campaign running at a consistent pace until the second half of December\r\n2018, taking a break around Christmas, and then resuming in mid-January 2019 doubled in size, as seen in\r\nFigure 1. The drops in the graph are aligned with weekends, which suggests that the attackers favor company\r\nemail addresses.\r\nFigure 1 - Detections of malicious JavaScript attachments spreading Win32/Filecoder.Shade since October 2018\r\nAs previously mentioned, this campaign is a part of a larger trend we have observed from the beginning of 2019 –\r\nthe comeback of malicious JavaScript attachments as a widely used attack vector. Figure 2 shows this\r\ndevelopment as seen in our telemetry.\r\nhttps://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/\r\nPage 2 of 8\n\nFigure 2 – Detections of malicious JavaScript distributed via email attachments, all of which are detected as\r\nJS/Danger.ScriptAttachment, in the last year\r\nOf particular note, the campaign spreading the Shade ransomware in January 2019 has been most active in Russia,\r\nwith 52% of the total detections of these malicious JavaScript attachments. Among other affected countries are\r\nUkraine, France, Germany, and Japan, as seen in Figure 3.\r\nFigure 3 - Distribution of ESET detections of malicious JavaScript attachments spreading Win32/Filecoder.Shade\r\nbetween January 1, 2019 and January 24, 2019\r\nhttps://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/\r\nPage 3 of 8\n\nBased on our analysis, a typical attack in the January 2019 campaign starts with the delivery of an email written in\r\nRussian, with an attached ZIP archive named “info.zip” or “inf.zip”.\r\nThese malicious emails pose as order updates, seemingly coming from legitimate Russian organizations. The\r\nemails we have seen impersonate the Russian bank B\u0026N Bank (note: recently merged with Otkritie Bank), and\r\nthe retail chain Magnit. In one of the emails detected by ESET systems, the English translation is:\r\nSubject: Details of the order\r\nHello!\r\nI’m sending to you the details of the order. The document is enclosed.\r\nDenis Kudrashev, manager\r\nFigure 4 - Example of a spam email used in the January 2019 campaign\r\nThe ZIP archive contains a JavaScript file named “Информация.js“ (which translates to “Information” in\r\nEnglish). Once extracted and launched, the JavaScript file downloads a malicious loader, detected by ESET\r\nproducts as Win32/Injector. The malicious loader decrypts and launches the final payload – the Shade\r\nransomware.\r\nThe malicious loader is downloaded from URLs at compromised, legitimate WordPress sites, where it is disguised\r\nas an image file. To compromise the WordPress pages, attackers used mass-scale password brute-force attacks\r\nhttps://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/\r\nPage 4 of 8\n\ncarried out via automated bots. Our telemetry data shows hundreds of such URLs, all ending with the string\r\n“ssj.jpg”, hosting the malicious loader file.\r\nThe loader is signed using an invalid digital signature that claims to be issued by Comodo, as seen in Figure 5.\r\nThe name in “Signer information” and the timestamp are unique for each sample.\r\nFigure 5 – Fake digital signature used by the malicious loader\r\nBesides this, the loader attempts to disguise itself further by posing as the legitimate system process Client Server\r\nRuntime Process (csrss.exe). It copies itself into C:\\ProgramData\\Windows\\csrss.exe, where “Windows” is a\r\nhidden folder created by the malware, and is not normally located in ProgramData.\r\nFigure 6 – The malware posing as a system process and using version details copied from a legitimate Windows\r\nServer 2012 R2 binary\r\nhttps://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/\r\nPage 5 of 8\n\nThe Shade ransomware\r\nThe final payload of this malicious campaign is crypto-ransomware dubbed Shade or Troldesh. First seen in the\r\nwild in late 2014, but frequently resurfacing since, the ransomware encrypts a wide range of file types on local\r\ndrives. In the recent campaign, the ransomware appends the extension .crypted000007 to the encrypted files.\r\nThe payment instructions are presented to victims in a TXT file, in Russian and English, which is dropped to all\r\ndrives on the affected computer. The wording of the ransom note is identical to that from the previously-reported\r\nOctober 2018 campaign.\r\nFigure 7 – The Shade ransomware ransom note from January 2019\r\nHow to stay safe\r\nTo avoid falling victim to malicious spam, always verify the authenticity of emails before opening any\r\nattachments or clicking on links. If necessary, check with the organization seemingly sending the email using\r\ncontact details provided on their official website.\r\nFor Gmail users, it may be useful to know that Gmail has been blocking JavaScript attachments in both received\r\nand sent emails for almost two years now.\r\nhttps://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/\r\nPage 6 of 8\n\nUsers of other email services, including company mail servers, must rely on their awareness – unless they use\r\nsome security solution capable of detecting and blocking malicious JavaScript files.\r\nSeveral different modules in ESET security products independently detect and block malicious JavaScript files.\r\nTo avoid having your WordPress website compromised, use a strong password and two-factor authentication and\r\nmake sure to regularly update WordPress itself, as well as WordPress plugins and themes.\r\nIndicators of Compromise (IoCs)\r\nExample hashes of the malicious ZIP attachments\r\n0A76B1761EFB5AE9B70AF7850EFB77C740C26F82\r\nD072C6C25FEDB2DDF5582FA705255834D9BC9955\r\n80FDB89B5293C4426AD4D6C32CDC7E5AE32E969A\r\n5DD83A36DDA8C12AE77F8F65A1BEA804A1DF8E8B\r\n6EA6A1F6CA1B0573C139239C41B8820AED24F6AC\r\n43FD3999FB78C1C3ED9DE4BD41BCF206B74D2C76\r\nESET detection name: JS/Danger.ScriptAttachment\r\nExample hashes of JavaScript downloaders\r\n37A70B19934A71DC3E44201A451C89E8FF485009\r\n08C8649E0B7ED2F393A3A9E3ECED89581E0F9C9E\r\nE6A7DAF3B1348AB376A6840FF12F36A137D74202\r\n1F1D2EEC68BBEC77AFAE4631419E900C30E09C2F\r\nCC4BD14B5C6085CFF623A6244E0CAEE2F0EBAF8C\r\nESET detection name: Win32/Injector\r\nExample hashes of the Shade ransomware\r\nFEB458152108F81B3525B9AED2F6EB0F22AF0866\r\n7AB40CD49B54427C607327FFF7AD879F926F685F\r\n441CFA1600E771AA8A78482963EBF278C297F81A\r\n9023B108989B61223C9DC23A8FB1EF7CD82EA66B\r\nhttps://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/\r\nPage 7 of 8\n\nFEB458152108F81B3525B9AED2F6EB0F22AF0866\r\nD8418DF846E93DA657312ACD64A671887E8D0FA7\r\nESET detection name: Win32/Filecoder.Shade\r\nCampaign-specific string in URLs hosting the Shade ransomware\r\nhxxp://[redacted]/ssj.jpg\r\nSource: https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/\r\nhttps://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/"
	],
	"report_names": [
		"russia-hit-new-wave-ransomware-spam"
	],
	"threat_actors": [],
	"ts_created_at": 1775439115,
	"ts_updated_at": 1775791257,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9d69fa7b205daea5bae3487f59968a6d7358baf9.pdf",
		"text": "https://archive.orkl.eu/9d69fa7b205daea5bae3487f59968a6d7358baf9.txt",
		"img": "https://archive.orkl.eu/9d69fa7b205daea5bae3487f59968a6d7358baf9.jpg"
	}
}