Decrypt all strains of Shade ransomware

Kaspersky researchers publish a decryptor that can help get back files encrypted by all strains of Shade/Troldesh ransomware.

Kaspersky researchers publish the decryptor that can help get back files encrypted by all strains of Shade/Troldesh ransomware

Remember Shade ransomware? We’re writing this post because it’s not a threat anymore, and you can get your files back, even those encrypted by the latest versions of Shade. Let’s talk about how that happened.

What is Shade ransomware?

Shade, also known as Troldesh, is a nasty cryptor that began spreading back in 2015. It encrypted office documents, pictures, and archives (as well as some other types of files) and then asked victims to pay for decryption. Different strains used fancy filenames such as breaking_bad and da_vinci_code. Shade also brought friends along — it downloaded other malware after it encrypted everything it wanted.

In 2016, our malware analysts managed to create a decryptor for the versions of Shade that existed back then. Cooperation between police, having seized the servers with the keys, and the security researchers, made that possible.

However, the group behind Shade didn’t go anywhere and continued to develop new strains of ransomware for which the decryptor didn’t work. The malefactors continued to spread Shade, remaining highly active through mid-2019.

The group behind Shade

Things eventually changed. In late 2019 and early 2020 the number of users that encountered Shade ransomware dropped significantly in comparison with previous years. And then the malefactors behind the ransomware announced that they had decided to abandon it. They even apologized for the harm they caused and published about 750,000 keys to decrypt the files.

That’s a good reason to update the decryption utility, which is exactly what we did. The new Shade decryptor is now available on, and it can help people get back their files encrypted by Shade, no matter which version of Shade got them into trouble.

Remember, we’re always saying that you should not pay the ransom even if there is no decryptor to get them back at the moment, because eventually it will be created. This is an example of such a case, and it’s a great example of why you should hold on to your encrypted files and wait, even if you have been hit by some other type of ransomware. One day, the decryptor will exist.

Better safe than rescued

It’s good that all the victims of Shade can now get their files back. However, it would’ve been better for them not to lose the files in the first place. So, here are our usual three tips that will help you not fall victim to ransomware:

  • Make regular backups. Here’s how to do that right.
  • Don’t click on suspicious links, and don’t open attachments to e-mails from unknown senders. Basically, use common sense and learn. Once you know the usual attack vectors, avoiding threats like Shade becomes second nature.
  • Use a good security solution. Even if you think you’re really good at spotting potential threats, a reliable security solution will help if once in a thousand times you miss one — just like the tightrope-walker still has that safety line attached, even though they’ve walked that rope a thousand times before.