A new ransomware called Black Shades Crypter was discovered by a security researcher named Jack that encrypts your data and ransoms it for the low price of $30 paid in bitcoins or Paypal. This ransom targets both English and Russian speaking victim's and appends the .silent extension to encrypted files.

Unusually, this ransomware includes strings in the executable that contain taunting messages to security researchers who may be analyzing the ransomware.

Unfortunately, at this time there is no way to decrypt this ransomware for free. For those wish to discuss this ransomware or need help, you can ask in our support topic: SilentShade BlackShades Ransomware (.silent) Help Topic (Hacked.txt, YourID.txt).

Black Shades Crypter Taunts Security Researchers

When analyzing the Black Shades ransomware there are multiple obfuscated strings in the source code that appear to be taunting security researchers who are analyzing it. Some of these strings are simply base64 encoded, while two others use basic string manipulation that is easily decoded.

The obfuscated strings that were found are shown below:

The above strings translates to: YoxcnnotcrackthisAlgorithmynare>idiot<

This decodes to the Russian String: вы не можете взломать меня я очень жесткий

In English (Google Translated. I can't make this stuff up): you can not hack me, I am very hard

Text5 decodes to: Hacked by Russian Hackers in Moscow Tverskaya Street

Text6 decodes to: youaresofartocrackMe

The Black Shades Crypter Encryption Process

It is currently unknown how the Black Shades Ransomware is being distributed, but based on the string YouTube embedded in the executable, MalwareHunterTeam thinks it may be distributed as fake videos, fake cracks, or fake patches.

Once executed, Black Shades will delete the Shadow Volume Copies on the computer using this command:

cmd.exe /C vssadmin.exe Delete Shadows /All /Quiet

It will then determine the victim's IP address by going to the site http://icanhazip.com and to see if there is an Internet connection by going to Google.com. If the program cannot connect to icanhazip.com it will crash and display the below error. This means that you can modify your hosts file and point icanhazip.com to 127.0.0.1 to block this ransomware from encrypting a computer.

Crash Error

It will then create a unique ID for the victim and check to see if it can connect to Google. If it is able to, it will upload it along with the computer name, user name, key, execution time, the number 0 to act as a placeholder for the amount of files encrypted, and a reference string to the Command & Control server. This reference string is currently set to Youtube.

When encrypting a victim's computer, Black Shades will only encrypt the following folders on the C: drive using AES-256 encryption and also drop a file in each folder called YourID.txt, which contains the unique victim ID. When encrypting the Desktop it will also drop the Ваш идентификатор file, which contains the victim ID as well.

%Userprofile%\Downloads %Userprofile%\Documents %Userprofile%\Desktop %Userprofile%\Pictures %Userprofile%\Music %Userprofile%\Videos C:\Users\Public

On other drives, it will encrypt every folder it scans. When encrypting a file it will append the .silent extension to encrypted files. For example, test.jpg will become test.jpg.silent. When encrypting files it will only encrypt those that have one of the following extensions.

.vb,.cs,.c,.h,.html,.7z,.tar,.gz,.m4a,.wma,.aac,.csv,.rm,.txt,.text,.zip,.rar,.m,.ai,.cs,.db,.nd,.xlsx,.pl,.ps,.py,.3dm,.3ds,.3fr,.3g2,.ini,.xml,.jar,.lz,.mda,.log,.mpeg,.myo,.fon,.gif,.JNG,.jp2,.PC3,.PC2,.PC1,.PNS,.MP2,.AAC,.3gp,.ach,.arw,.asf,.asx,.avi,.bak,.bay,.mpg,.mpe,.swf,.PPJ,.cdr,.cer,.cpp,.cr2,.crt,.crw,.dbf,.dcr,.html,.xhtml,.mhtml,.asp,.dds,.der,.des,.dng,.doc,.dtd,.dwg,.dxf,.CSS,.rss,.jsp,.php,.dxg,.eml,.eps,.ert,.fla,.fla,.flv,.hpp,.docm,.docx,.flac,.iif,.ipe,.ipg,.kdc,.key,.lua,.m4v,.max,.xls,.yuv,.back,.mdb,.mdf,.mef,.mov,.mp3,.mp4,.mpg,.mrw,.x3f,.xlk,.xlr,.msg,.nef,.nk2,.nrw,.oab,.obi,.odb,.odc,.wmv,.wpd,.wps,.odm,.odp,.ods,.odt,.orf,.ost,.p12,.p7b,.vob,.wav,.wb2,.p7c,.pab,.pas,.pct,.pdb,.pdd,.pdf,.per,.sr2,.srf,.str,.ar,.bz2,.rz,.s7z,.apk,.zipx,.pem,.pfx,.pps,.ppt,.prf,.psd,.pst,.ptx,.rw2,.rwl,.sql,.3gp,.qba,.qbb,.qbm,.qbr,.qbw,.qbx,.qby,.r3d,.raf,.raw,.rtf,.AVI,.indd,.java,.jpeg,.pptm,.pptx,.xlsb,.xlsm,.jpg,.png,.ico,.JPG,.MP4,.MP4,.FLV,.MKV,

During different stages of the encryption process it will check again for the ability to connect to Google, and if possible, will connect to the Command & Control server and send an update that contains the count of files that have been encrypted.

When done encrypting, Black Shades will create the Hacked_Read_me_to_decrypt_files.Html ransom note on the Windows Desktop and also copy it into the victim's startup folder so that it shows every time the user logs into the computer.

HTML Ransom Note

This ransom note contains instructions on how to connect to the associated payment site, which is described below.

When this whole process is completed, Black Shades will try to delete itself and leave behind only the ransom notes.

The Black Shades File Decrypter Site

The Black Shades Ransom note contain a link to the payment site where a victim can pay the ransom. This site is titled the Black Shades File Decrypter and allows a victim to make a payment in bitcoins or using Paypal.

Payment Site

The use of Paypal is an odd choice for any criminal activity as it can easily be traced.

Updates:

6/3/16 - MalwareHunterTeam pointed out that not being able to connect to http://icanhazip.com will generate a crash. Also realized that Google connection is only for checking if connected to the Internet.

Files associated with the Black Shades Crypter Ransomware:

%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.exe %UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hacked_Read_me_to_decrypt_files.Html %UserProfile%\AppData\Roaming\Windows\win.exe YourID.txt Ваш идентификатор Hacked_Read_me_to_decrypt_files.Html

Registry Entries associated with the Black Shades Crypter Ransomware::