Security researchers from Kaspersky Lab confirmed the validity of the keys that leaked and are now working to create a free decryption tool.
The Shade gang posted a small message on GitHub, in which she explains her decision.
"We are the team that created one trojan-encryptor known as Shade, Troldesh ή Encoder.858. In fact, we stopped distributing it at the end of 2019. Now we have decided to put an end to this story and publish all the decryption keys we have (over 750 thousand). We hope that by having the keys, virus protection companies will issue their own, more friendly user, tools decryption. All other data related to our activity (including trojan source codes) was destroyed. We apologize for all this victims and we hope that the keys we have published will help them recover data their".
Although the hackers of Shade ransomware explained why they decrypted the decryption keys, they did not explain why they stopped their activities. Several theories have begun to emerge among experts ransomware, but no one can be sure.
Before it closed, at the end of 2019, Shade ransomware was one of the oldest ransomware, which was first identified in 2014 and operated almost non-stop until a few months ago.
The hackers distributed it by doing combination emails campaign spam and exploit kits.
The ransomware was not perfect, however. Security researchers from Kaspersky and Intel Security (now McAfee) had managed to release many applications decryption that could help victims recover their files. On the other hand, the decryption tools only worked for a small number of Shade editions, and the last of them was released in 2017.
The decryption keys were released yesterday and will help all Shade (Troldesh) victims. ransomware. It is believed that the keys will be effective for all versions of ransomware and for all infected users.
The only condition is that users encrypted files are still stored, so that they can be decrypted.
Security experts often recommend storing encrypted files on one offline hard drive. However, most victims make a total return to systems by deleting the encrypted ones data. Those who have saved their encrypted files can now recover them.