United States Businesses Targeted in Shade Ransomware Attacks

Shade ransomware was first identified by security researchers in 2014, when it was primarily being used in attacks on Russian businesses; however the threat actors behind this ransomware variant have broadened their horizons and attacks are now being conducted around the world. The United States is now the most attacked country followed by Japan, India, Thailand, and Canada. Russia has now fallen from top spot to seventh.

Shade ransomware, like many ransomware variants, is primarily spread via email. Emails are sent to businesses which appear at first glance to be invoices or bills. The emails contain links to websites hosting malicious files which are downloaded to the user’s device. A variant of this method uses a PDF attachment which contains a link inside which must be clicked to download a fake invoice or bill.

The downloaded files use JavaScript or other scripts to download the Shade ransomware payload. Shade ransomware encrypts a wide range of files and changes the background on the infected computer to alert the user that their files have been encrypted. Ransom notes are also saved to the Desktop with the filename of README1.txt through to README10.txt. Those text files advise the victim to email a code to an email address to receive instructions on how the ransom payment must be made.

An analysis of the latest campaigns was recently conducted by Palo Alto Networks Unit 42 team. That analysis revealed the attackers are concentrating their attacks on high-tech companies, retailers, wholesalers, telecommunications, and educational institutions and the threat actors behind the campaigns have been highly active in 2019.

Since Shade ransomware is most commonly spread via spam email, to reduce the risk of an attack, businesses should implement an advanced email gateway solution that is capable of identifying and blocking the malspam emails that ultimately deliver Shade ransomware.

SpamTitan protects businesses from Shade ransomware and other email-based malware attacks. SpamTitan includes dual antivirus engines to detect malicious files attached to emails and scans the content of messages and subjects them to a Bayesian analysis and heuristics to identify signatures of spam and malicious messages.

The solution now incorporates a Bitdefender-powered sandbox feature which allows files to be opened in a safe and secure environment where they can be analyzed for malicious activity. The solution also allows users to block attachments commonly used to deliver malware, such as zip files and executable files such as .exe and .js.

These and other protection mechanisms help to ensure that only legitimate emails are delivered and malicious messages are prevented from being delivered to end users’ inboxes.

If you want to protect your business against ransomware and malware attacks, contact TitanHQ today to find out more about SpamTitan and take the first step towards improving your security posture.