Remove Troldesh/Shade Ransomware

I wrote this article to help you remove Troldesh/Shade Ransomware. This Troldesh/Shade Ransomware removal guide works for all Windows versions.

Troldesh/Shade Ransomware is a member of the most dangerous cyber threat family we are forced to deal with. Ransomware pieces are the worst kind of infection out there and if you have been so unlucky to get stuck with this particular one you must be familiar with the following message:

“Ваши файлы были зашифрованы. Чтобы расшифровать их, Вам необходимо отправить код: [random numbers] на электронный адрес decode010@gmail.com или decode1110@gmail.com. Далее вы получите все необходимые инструкции. Попытки расшифровать самостоятельно не приведут ни к чему, кроме безвозвратной потери информации.”

It translates to:

“All the important files on your computer were encrypted. To decrypt the files you should send the following code: [random numbers] to e-mail address decode010@gmail.com or decode1110@gmail.com. Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data.”

Remove Troldesh/Shade Ransomware
The Troldesh/Shade Ransomware

This is the message which readers started reporting recently, explaining that it appears when they boot their computers. As mentioned, if this appears on your screen as well, you are in a lot of trouble. You have been infected with Troldesh/Shade Ransomware. Even though researchers say that, for the moment, Troldesh targets mostly Russian, Ukrainian, and German users this doesn’t mean that you cannot get infected anywhere in the world. You can and if you currently are, you are about to face a ton of issues.

The ransomware, once in your system, starts working immediately. It encrypts all of your files with the AES 256 encryption algorithm. It locks everything – files, documents, pictures, music, videos, etc. All of them. It can even encrypt some work-related data, which is very important. After the encryption process has finished, Troldesh appends new extensions to the locked files, such as “.ytbl”, “.xtbl”, “.breaking_bad”, “.heisenberg” and alters their original formats. Different versions of the ransomware even add strange extensions like “.better_call_saul” and other similar ones. Once the new extensions have replaced the old ones, your data is no longer available to you. You cannot read it, see it, watch it, or listen to it. Nothing. The files you have been left with are useless. The ransomware has also changed their names so you cannot tell which is which and since you are unable to check, there is nothing you can do.

After the locking process is complete, Troldesh drops a file named README.txt. This is the ransom note. It contains instructions, whit which you can recover your lost files. It also provides email addresses for you to get in touch with the ransomware authors – drugvokrug727@india.com, Lukyan.Sazonov26@gmail.com, VladimirScherbinin1991@gmail.com. According to the crooks, there is only one way to do that and, of course, it involves money. This is the main purpose of this ransomware (and all ransomware pieces in general) – monetary gain. This is what it has been created for. To get in your system, encrypt your files, and extort you for money. So, the ransom note claims that after you make the payment (in Bitcoins) you will receive a decryptor to help you retrieve the locked data. However, there is absolutely no guarantee that you will receive said decryptor. Don’t forget you are about to make a deal with cybercriminal, who are not famous for being reliable and trustworthy.

As we already explained, their main goal is gaining profit and they couldn’t care less about your files. So, paying these crooks will be your biggest mistake. It equals to giving up and supporting the Ransomware industry. Not to mention the security risk you take when giving these strangers access to your bank account. Fortunately, our removal guide below will help you get your files back and you don’t have to pay a cent. Just follow the instructions carefully. However, now knowing what kind of a headache a ransomware causes, consider getting a reliable anti-malware program to help you prevent this kind (and others) of infections.

You may also wonder how this nasty ransomware infected you. There are many entering tactics – freeware bundles, corrupted links/sites/ads, exploit kits. Another parasite, like a Trojan, can also be delivering a ransomware or the ransomware itself can pose as a fake program update. But the most popular infiltration method of all is still the spam messages. A ransomware can land directly into your regular inbox and if you one of the people who open everything without thinking twice about it, you are the easiest target. The ransomware delivering email doesn’t come with a neon sign in capital letter “THREAT”. It tricks you by pretending to be an invoice, for example, or a message from a shipping company, job application. Be extra careful what you click open when you don’t know who it If from. Preventing an infection is much easier that removing it later.

Troldesh/Shade Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, v deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Troldesh/Shade Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.