Shade Encryptor being spread via mail

The Shade Encryptor threat is being spread via the email. The ransomware Trojan which has been active since 2014 encrypts data on the infected device. Once the ransomware has encrypted the data, it will add the “.xtbl” and “.ytbl” extension.

The team from Kaspersky has published a full report on their site about the “Shade Encryptor” ransomware.

Kaspersky states that Shade Encryptor threat uses the following files (Note that the Shade Encryptor is not limited to the files listed below):

  • doc_dlea
  • doc_dlea podpisi.rar
  • documenti_589965465_documenti.rar
  • documenti_589965465_doc.scr
  • doc_dlea podpisi.rar
  • неподтвержден 308853.scr
  • documenti dlea podpisi 05.08.2015.scr.exe
  • akt sverki za 17082015.scr

The following command and control servers were identified:

  • a4yhexpmth2ldj3v.onion
  • e4aibjtrguqlyaow.onion
  • gxyvmhc55s4fss2q.onion

Additional indicators:

Share this information