Infected with Shade ransomware? Need to decrypt your files?
What is Shade ransomware
Shade is a ransomware that is very similar to Wildfire, Hades Locker, CryptFIle2 (or CryptMix) and MarsJoke (or JokeFromMars). Once Shade ransomware has infected your computer, it encrypts various data. After finishing encrypting process, this ransomware adds .no_more_ransom extension (what an irony) to the name of all the encrypted files. It will create a text note named nomoreransom_note_original.txt / YourID.txt / hacked.txt in each folder with the encrypted data and on your desktop.
There are two features of this ransomware that differs it from other ransomware programs. First, it’s the fee for decrypting files. 30$ is rather smaller ransom in opposition to 500-1000$ (usually ransomware developers demand this amount of money). Even if the fee is not that big, don’t try to pay it to them, as there is no guarantee you will get your files back. Second feature is that these cyber criminals offers you to pay them through PayPal system, which is strange because PayPal payment is very easy to track unlike with Bitcoins system.
Every change Shade Ransomware makes on your PC is stating developer’s demands. These cyber criminals want you to contact them, then they will offer you to restore encrypted files by paying them a certain fee. You can find their email in each txt file. This is what these txt files usually contains:
“You have been struck with Black Shades All of your files were protected by a strong encryption with RSA-4096 More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) Your files will be encrypted for your life so don’t wait so long to restore your files because YOU CANNOT!! You need to follow one if these steps >
1- send 30$ = 0.0700 Bitcoin to this Account >> – and then contact firstname.lastname@example.org with your ID details (your will find it at [/Desktop or /Downloads or /Documents] Folder) and confirmation of your Money transaction.
2- Visit This website > http://daftoraytg.com/ and Follow the steps to Decrypt your files.
in (96) hours the key to decrypt your files will be Deleted from our database.
# NOTE > (100% you will have your all files back) if you will follow the steps 1 or 2
3- After your finished 1 of your Steps Open the Decrypter Program and Restore your all files which we will send to you after our Deal
Why is RSA-4096 dangerous?
After RSA-4096 sneaks into your system, without you even realising it, it goes to work.
It begins the encryption process and cleans everything you have stored on your computer. Every file, every photo, every video, music,documents, nothing is safe.
The infection encrypts everything. You still see it, but cannot open it. That’s its play. It keeps it right in your reach but doesn’t allow you to access it.”
Do not pay to these criminals, investing in their ransom scheme would not help you, because there is no guarantee that they will decrypt your files. That’s why you better try to solve this problem by yourself.
How Shade ransomware infected your PC
Shade Ransomware usually infects your PC through infected email attachments, fake software updaters and trojans – that’s why good anti-viruses is vitally important to avoid ransomware threat. You can also get this ransomware on file sharing networks, including torrent files. After finishing infiltrating process, Shade Ransomware take following steps:
- Shade Ransomware make a connection with its Command and Control server in order to receive configuration data and other information about your computer.
- Shade Ransomware changes your computer’s settings to make it run automatically whenever Windows starts up.
- Shade Ransomware is seeking for certain type of data and encrypting it with it’s advanced encryption algorithm.
The only way to protect your computer from such threats is use antiviruses with crypto-protection like HitmanPro.Alert with CryptoGuard.
What to do if you are infected with Shade ransomware virus?
First of all don’t panic. Follow these easy steps below.
1. Start your computer in Safe Mode with networking. To do that, restart your computer, before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the Shade ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.
SpyHunter 4 – fully removes all instances of Shade ransomware – files, folders, registry keys.
Step 2: Remove following files and folders of Shade ransomware:
Remove following registry entries:
Remove following files:
How to restore files.hta
How to decrypt files infected by Shade ransomware (.no_more_ransom files)?
Use automated decryption tools
1. .no_more_ransom decryption tool from Kaspersky
There is ransomware decryptor from Kaspersky that can decrypt .no_more_ransom files. It is free and may help you restore .no_more_ransom files encrypted by Vegclass Ransomware virus. Download it here:
Decrypt .no_more_ransom files manually
Restore the system using System Restore
Although, latest versions of Shade ransomware remove system restore files, this method may help you to partially restore your files. Give it a try and use standard System Restore to revive your data.
- Initiate the search for ‘system restore‘
- Click on the result
- Choose the date before the infection appearance
- Follow the on-screen instructions
Roll the files back to the previous version
Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged (in our case – encrypted by Shade ransomware). This feature is available in Windows 7 and later versions.
- Right-click the file and choose Properties
- Open the Previous Version tab
- Select the latest version and click Copy
- Click Restore
Restore .no_more_ransom files using shadow copies
- Download and run Shadow Explorer.
- Select the drive and folder where your files are located and date that you want to restore them from.
- Right-click on folder you want to restore and select Export.
- Choose export location and view restored files.
Protect your computer from ransomware
Most modern antiviruses can protect your PC from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach t protect from ransomware and lockers. One of the best is HitmanPro.Alert with CryptoGuard. You may already know HitmanPro as famous cloud-based anti-malware scanner. Check out ultimate active protection software from SurfRight.
Information provided by: Alexey Abalmasov