Security researchers have discovered yet another ransomware threat that locks user files and asks for a ransom. This one’s called Black Shades Crypter and targets both Russian and English users.

A security researcher that goes only by the name of Jack (@Malwareforme) discovered the ransomware almost two weeks ago. This is the same researcher that spotted the ZCryptor ransomware, for which Microsoft issued a public alert a few days later.

Users that get infected with the ransomware can tell by the extra extension Black Shades adds to their files, which is “.silent”.


Black Shades asks for very little money

There are also two other things that make Black Shades stand out among the flood of ransomware versions that appear every week.

The first one is the extremely small ransom the crooks ask from victims. All infected users are told that they only need to pay a $30 ransom, either in Bitcoin or via PayPal, to unlock their files.

This ransom fee is very small compared to other ransomware versions that usually ask between 0.5 and 1 Bitcoin ($250 – $500).

Ransomware authors issue challenge to security researchers

The second thing that also stands out, or at least for security researchers, is found in Black Shades’ source code.

Bleeping Computer analyst Lawrence Abrams says he found encoded strings in Black Shades’ code, which when decoded are Russian texts that issue challenges to malware analysts. Some of the texts he found, translated via Google Translate, say:

YoxcnnotcrackthisAlgorithmynare>idiot<
you can not hack me, I am very hard
Hacked by Russian Hackers in Moscow Tverskaya Street
youaresofartocrackMe
Black Shades may be distributed via YouTube video spam

The source of Black Shades infections is currently unknown. Another security researcher that also analyzed the malware, MalwareHunterTeam, says that he found strings in the ransomware’s code containing the term “YouTube”.

It may be possible that crooks upload videos on YouTube advertising games or software cracks, which if installed also deploy the Black Shades ransomware.

The ransomware’s infection process is somewhat similar to the standard routine. Once launched into execution, Black Shades will use an AES-256 algorithm to encrypt data on all drives.

Unlike the BadBlock ransomware which also encrypts crucial Windows files, on the system drive, Black Shades encrypts C: data only from a list of selected folders.

There’s a trick to stop the Black Shades encryption

A peculiarity spotted by MalwareHunterTeam can also give users a measure of protection against this threat. Apparently, in its initial stages of infection, the ransomware checks the user’s IP address by querying the icanhazip.com website.

MalwareHunterTeam discovered that if this query fails, the ransomware crashes altogether with a message like the image below.

Black Shades crash message

Black Shades crash message

Users that want to avoid getting infected with Black Shades can open their Windows hosts file (c:windowssystem32driversetchosts) and add an entry like “127.0.0.1 www.icanhazip.com”.

This will redirect the initial icanhazip.com query to your own computer instead of forwarding it online, and crash the ransomware every time.

Since this trick was already disclosed by security researchers, it will probably be fixed in future Black Shades versions.

Currently, the Black Shades ransomware is uncrackable. Users that need advice in dealing with this threat can visit Bleeping Computer’s Black Shades support forum.

Let’s block ads! (Why?)

Related Posts

Facebook Comments

Return to Top ▲Return to Top ▲