Shade Ransomware - How to remove

Shade Ransomware

Shade Ransomware is an infection that can encrypt your personal files so you will not be able to open or use them anymore. In order to retrieve encrypted files, you will be asked to pay a certain ransom. However, paying the ransom does not mean that you will get your files back – most of the time users get tricked and scammed. That’s why we recommend to learn more about this particular ransomware and explore all available options to this situation. This ransomware is also known as Troldesh virus.

About Shade Ransomware

As you already know, developers of a malicious application called Shade Virus seek to make money by infecting users’ computers, encrypting their files and asking them to pay the ransom. This ransomware can encrypt all the most popular files, having the filename extensions, such as .jpg, .doc, .mp3, etc. The files encrypted are appended these extensions: .xtbl, .ytbl, .breaking_bad, .heisenberg, .no_more_ransom. The maker’s e-mail address is sometimes added to file name, before the extension, e.g. {[email protected]}.xtbl.

Once your files have been encrypted, you will not be able to open or use them in any other way. Usually, users are threatened to pay the ransom as soon as possible, otherwise, the files are said to stay encrypted forever. You might be asked to send one of the encrypted files to the cyber criminals so they would send the decrypted version of the file back to you in order to prove to you that they have the decryption tool and that by paying the ransom you will solve your problems.

For the decryption of the files encrypted by Shade crypto-malware try the decryptor by No More Ransom project. There, you will also find a guide on how to use the decryptor. But before the trial copy the affected data and eliminate Shade Ransomware from your computer. It’s important to eliminate this ransomware completely because the leftovers of the malware can cause you more damage to the system.

Even though you can perform the removal of the virus manually, we recommend scanning your computer with trustworthy anti-malware applications. Use either Spyhunter or Malwarebytes to complete this task. You will find the detailed removal instructions below this article. If you have any questions regarding this topic, feel free to ask them in the comments section below.

Update of the 5th of December, 2016. Kelihos spam bonnet, aka Waledac, has been invoked to spread Shade crypto-locker. The spam e-mails are disguised as containing credit and banking information. The infected files they are attached to are the JS (JavaScript) files or Word documents. The ransom note, which is left after the latter files have been executed, the ransomware downloaded and the files encrypted, is the following:

 

Moreover, Shade file-encrypter can install Pony malware, which is an info stealer, capable of stealing even such sensitive information as passwords. By the way, in August of 2016 Shade malware was installing Teamspy RAT (Remote Access Trojan), which was used as a tool for diagnosing whether the infected computer or network was a valuable target.

Update of the 24th of April, 2017. Shade ransomware has been detected and it appears to feature .Dexter extension. Additionally, sample uses the same ransom note, written in the Russian language.

Update in April of 2020. The team behind Shade ransomware stopped distributing it at the end of 2019. The team has released all the decryption keys and a decryption tool, as is described in this GitHub page. The software provided by Shade’s developers is not very user-friendly, so if you use it on your files, make some backup copies first.

How to recover Shade Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Troldesh virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Troldesh ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to .xtbl extension virus. You can check other tools here.  

Step 3. Restore .ytbl extension virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Shade Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Troldesh virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *