A brand new ransomware threat which locks user files and asks for a ransom has been recently discovered by the security experts. The ransomware is called Black Shades Crypter and it targets both English and Russian users.
Black Shades Crypter was discovered about a couple of weeks ago by a security researcher who named himself Jack. This is the same researcher who noticed ZCryptor ransomware. A few days later, Microsoft issued a public alert about it.
Users who get infected with Black Shades Crypter can tell by the extra extension the ransomware adds to their files, which is “.silent”. Apart from the above-mentioned, there are two other things which make Black Shades stand out among the flood of ransomware versions that come out every week.
The first thing is the small ransom which the hackers ask from victims. The infected users are told that they only should pay a $30 ransom, either in Bitcoin or via PayPal, to unlock their files. The ransom fee is extremely small when compared to other ransomware versions which usually ask between 0.5 and 1 Bitcoin ($250 – $500).
The second thing which also stands out, is found in Black Shades’ source code. According to the security analyst Lawrence Abrams, there are encoded strings in the Black Shades’ code, which when decoded are Russian texts that issue challenges to malware analysts. Some of the texts the expert found, translated via Google Translate, say:
“YoxcnnotcrackthisAlgorithmynare>idiot<
you can not hack me, I am very hard
Hacked by Russian Hackers in Moscow Tverskaya Street
youaresofartocrackMe”
Presently, the source of Black Shades infections is unknown. Another security expert claims that he found strings in the ransomware’s code containing the term “YouTube”.
It could be the hackers who upload videos on YouTube advertising games or software cracks, which if installed also deploy Black Shades Crypter.
The ransomware’s infection process is rather similar to the standard routine. Being launched into execution, Black Shades uses an AES-256 algorithm to encrypt data on all drives.
Unlike BadBlock ransomware, which also encrypts crucial Windows files on the system drive, Black Shades encrypts C: data only from a list of selected folders.
What is interesting about Black Shades, is the fact that in its initial stages of infection, the ransomware checks the user’s IP address by querying the icanhazip.com website.
In order to avoid getting infected with Black Shades, users can open their Windows hosts file (c:\windows\system32\drivers\etc\hosts) and add an entry like “127.0.0.1 icanhazip.com”. This will redirect the initial icanhazip.com query to your own computer instead of forwarding it online, and crash the ransomware every time.
Considering the fact that the above-mentioned trick was already disclosed by the security experts, it is very likely that Black Shades versions will be fixed soon.
