{ "id": "53cdd5fd-1dd0-49e5-943c-186ea33d6474", "created_at": "2026-04-06T00:20:11.247229Z", "updated_at": "2026-04-10T03:21:38.316755Z", "deleted_at": null, "sha1_hash": "c818b88cf53fbaf63b2a246e1289b1b357ca2c41", "title": "Shade (Troldesh) ransomware shuts down and releases decryption keys", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 607056, "plain_text": "Shade (Troldesh) ransomware shuts down and releases decryption\r\nkeys\r\nBy Catalin Cimpanu\r\nPublished: 2020-04-27 ยท Archived: 2026-04-05 23:48:43 UTC\r\nImage: ZDNet\r\nThe operators of the Shade (Troldesh) ransomware have shut down over the weekend and, as a sign of goodwill,\r\nhave released more than 750,000 decryption keys that past victims can now use to decrypt their files.\r\nSecurity researchers from Kaspersky Lab have confirmed the validity of the leaked keys and have released a free\r\ndecryption tool.\r\nIn a short message posted in a GitHub repository, the Shade team explained what led to their decision.\r\nWe are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In\r\nfact, we stopped its distribution in the end of 2019. Now we made a decision to put the last point in this\r\nstory and to publish all the decryption keys we have (over 750 thousands at all). We are also publishing\r\nour decryption soft; we also hope that, having the keys, antivirus companies will issue their own more\r\nuser-friendly decryption tools. All other data related to our activity (including the source codes of the\r\ntrojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys\r\nwe published will help them to recover their data.\r\nWhile the Shade gang explained why they released the decryption keys, they did not explain why they shut down.\r\nSeveral theories have started to form among ransomware experts, yet none are based on actual tangible threat\r\nintelligence.\r\nhttps://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/\r\nPage 1 of 2\n\nPrior to shutting down at the end of 2019, the Shade ransomware has been one of the oldest ransomware strains,\r\nbeing first spotted in 2014 and operating almost non-stop until it shut down last year.\r\nIt was also one of the most most active ransomware operations [1, 2], being distributed via a combination of email\r\nspam campaigns and exploit kits.\r\nThe ransomware wasn't perfect, though, and during its lifetime, security researchers from Kaspersky and Intel\r\nSecurity (now McAfee) have released multiple decryption apps that could help victims recover files. However, the\r\ndecrypters only worked against a small number of Shade versions, and the last of these tools was released in 2017.\r\nThe decryption keys released today will help all users who had files encrypted by the Shade ransomware. The\r\nkeys are believed to account for all versions of the ransomware and all users who ever got infected.\r\nThe only condition is that users still have the encrypted files laying around, so they can be decrypted.\r\nWhile security experts often recommend saving ransomware-encrypted files on an offline hard drive, most victims\r\nsimply reinstall their computer from scratch, deleting the encrypted data. Those who saved their encrypted files\r\ncan now recover data they once considered lost.\r\nUpdated on May 1 with a link to Kaspersky's free decryption tool.\r\nEditorial standards\r\nSource: https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/\r\nhttps://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/" ], "report_names": [ "shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys" ], "threat_actors": [], "ts_created_at": 1775434811, "ts_updated_at": 1775791298, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c818b88cf53fbaf63b2a246e1289b1b357ca2c41.pdf", "text": "https://archive.orkl.eu/c818b88cf53fbaf63b2a246e1289b1b357ca2c41.txt", "img": "https://archive.orkl.eu/c818b88cf53fbaf63b2a246e1289b1b357ca2c41.jpg" } }