Ransomware is currently undecryptable, but there's a trick to stop the Black Shades' encryption process early

Jun 6, 2016 23:55 GMT  ·  By

Security researchers have discovered yet another ransomware threat that locks user files and asks for a ransom. This one's called Black Shades Crypter and targets both Russian and English users.

A security researcher who goes only by the name of Jack (@Malwareforme) discovered the ransomware almost two weeks ago. This is the same person who spotted the ZCryptor ransomware, for which Microsoft issued a public alert a few days later.

Users who get infected with the ransomware can tell by the extra extension Black Shades adds to their files, which is ".silent."

Black Shades asks for very little money

There are also two other things that make Black Shades stand out from the flood of ransomware versions that appear every week.

The first one is the extremely small ransom the crooks ask from victims. All infected users are told that they only need to pay a $30 ransom, either in Bitcoin or via PayPal, to unlock their files.

This ransom fee is very small compared to other ransomware versions that usually ask between 0.5 and 1 Bitcoin ($250 - $500).

Ransomware authors issue challenge to security researchers

The second thing that also stands out, or at least for security researchers, is found in Black Shades' source code.

Bleeping Computer analyst Lawrence Abrams says he found encoded strings in Black Shades' code, which, when decoded, are Russian texts that issue challenges to malware analysts. Some of the texts he found, translated via Google Translate, say:

YoxcnnotcrackthisAlgorithmynare>idiot<
you can not hack me, I am very hard
Hacked by Russian Hackers in Moscow Tverskaya Street
youaresofartocrackMe

Black Shades may be distributed via YouTube video spam

The source of Black Shades infections is currently unknown. Another security researcher who also analyzed the malware, MalwareHunterTeam, says that he found strings in the ransomware's code containing the term "YouTube."

It may be possible that crooks upload videos on YouTube advertising games or software cracks, which, if installed, also deploy the Black Shades ransomware.

The ransomware's infection process is somewhat similar to the standard routine. Once launched into execution, Black Shades will use an AES-256 algorithm to encrypt data on all drives.

Unlike the BadBlock ransomware that also encrypts crucial Windows files, on the system drive, Black Shades encrypts C: data only from a list of selected folders.

There's a trick to stop the Black Shades encryption

A peculiarity spotted by MalwareHunterTeam can also give users a measure of protection against this threat. Apparently, in its initial stages of infection, the ransomware checks the user's IP address by querying the icanhazip.com website.

MalwareHunterTeam discovered that, if this query fails, the ransomware crashes altogether with a message like in the image below.

Black Shades crash message
Black Shades crash message

Users who want to avoid getting infected with Black Shades can open their Windows hosts file (c:\windows\system32\drivers\etc\hosts) and add an entry like "127.0.0.1 icanhazip.com."

This will redirect the initial icanhazip.com query to your own computer instead of forwarding it online, and crash the ransomware every time.

Since this trick was already disclosed by security researchers, it will probably be fixed in future Black Shades versions.

Currently, the Black Shades ransomware is uncrackable. Users who need advice in dealing with this threat can visit Bleeping Computer's Black Shades support forum.  

Photo Gallery (2 Images)

Black Shades decryption website on the Dark Web
Black Shades crash message
Open gallery