New BlackShades Ransomware Accepts Payments via Paypal, Has Hidden Messages for Security Researchers

blackshades-ransomwareA new ransomware variant has been discovered by a security researcher named “Jack that encrypts data files and demands a ransom of $30 paid in bitcoins through Paypal. The ransomware, named BlackShades (detected by Trend Micro as CRYPSHED / Troldesh) a.k.a. SilentShades, is currently targeting English and Russian-speaking users.

Unlike other ransomware, it has included obfuscated strings of code that contain messages to security analysts who may be scrutinizing the malware.

In a report by’s Lawrence Abrams, one of the strings, when Google-translated from a Russian code said, “you cannot hack me, I am very hard.” Other codes were deciphered into messages such as, “Hacked by Russian Hackers in Moscow Tverskaya Street,” and “youaresofartocrackMe.”

The ransomware infects a system as a dropped file by other malware, or as a clicked file, downloaded and opened by users visiting compromised websites. According to The Malware Hunter Team, the ransomware is thought to be distributed through fake videos—given that the malware’s reference string is set to YouTube—as well as counterfeit ‘cracks’ and patches for popular programs and applications.

[Read: CryptXXX Ransomware Gets an Overhaul, Now Known as UltraCrypter?]

Upon execution, BlackShades will delete the computer’s shadow copies, which are back-up copies and snapshots of the computer’s files or volumes. It will then determine the infected system’s IP address and then it will check for internet connection by going to If connected, BlackShades will generate a unique ID for the victim and upload the information to its command and control server (C&C) along with the computer’s name, username, key, execution time, and the number of files that have been encrypted.

Capable of encrypting at least 195 file types using a 256-bit AES encryption, BlackShades will encrypt files stored on the C: drive’s folders, such as, Downloads, Documents, Desktop, Pictures, Music, Videos, and Public. Next it will drop a YourID.txt file, which contains the victim’s ID, in all folders and the desktop. Afterward, it  appends a .silent extension to the encrypted files.

During the encryption process, the malware communicates with its C&C to relay updates on the amount of files encrypted in the computer, after which it leaves a Hacked_Read_me_to_decrypt_files.Html file to the desktop, which serves as the ransom note. This note  is also copied to the start-up folder so victims are greeted by the ransom note every time they log in to the computer. Afterward the malware deletes itself and leaves behind only the ransom notes.

Victims are given 96 hours to pay the ransom, after which the decrypt key needed to unlock the files will be deleted from the database. Interestingly, the cybercriminals behind BlackShades also accept payments made via Paypal. Abrams noted, “The use of Paypal is an odd choice for any criminal activity as it can easily be traced.”

[Read: The History and Evolution of Ransomware]

In a separate report by cybersecurity firm Fortinet, another strain of ransomware has been found in the wild, this time targeting German users.

Named Herbst, the malware uses 256-bit AES and encrypts files in the computer’s desktop as well as its MyPictures, MyMusic and Personal folders whileattaching a .herbst extension to the encrypted files. The ransom note, written in German, demands a payment of 0.1 bitcoin (around $58.39 as of June 6, 2016) in order to get a decrypt key.

One of the firm’s security researchers, Rommel Abraham D Joven, noted that the malware—written in C#—is incomplete as it has several other functions that aren’t fully working, such as C&C communication and transaction ID verification. Joven added, “Our analysis shows that cybercriminals could be cooking a ransomware targeting a German audience. From the analysis, we conclude that Herbst is on its beta version which is still under development. The malware doesn’t provide any details on its C&Cs because it doesn’t call the HTTP function. We speculate that this version could just be a test to check AV vendors’ ability to detect it without giving away their C&C.”

[Read: New Ransomware Discovered: BadBlock and DMA Locker 4.0]

In the U.S., The FBI’s Internet Crime Complaint Center (IC3) reported having received at least 2,453 ransomware-related complaints in 2015, with financial losses at $1.6 million. With ransomware constantly maturing and evolving in terms of features, distribution and tactics, cybercriminals are marching deeper into the world’s computers. And considering the exponential growth of ransomware infections across the world, it is not surprising that individual users and enterprises find themselves as specific targets.

In Australia, at least 10,000 users have been affected with a scam email carrying malicious attachments. The spoofed email, purported to be from publicly listed energy company AGL, sent users a fake bill and prompted them to download and open a .zip file, with actual payloads  such as variants of the TorrentLocker (detected by Trend Micro as RANSOM_CRYPTLOCK.W) and CryptoLocker (TROJ_CRILOCK.YNG) ransomware. The victims—whose industries included utilities, education, finance and mining—were instructed to fork over US$640 ($A880) to decrypt the files held hostage by the malware.

TorrentLocker was also recently used in a similar campaign that targeted Swedish customers of Telia, a Nordic telecommunications company. The same has been reported in Israel when computers in the Israeli Electricity Authority were paralyzed by a ransomware attack.

In one of their advisories, the FBI recommends users and businesses to employ preventive measures such as awareness training for employees, and regularly updating and patching anti-malware solutions, OS, software, and firmware on digital devices, as well as business continuity efforts such as frequently backing up and securing important data.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.