AhnLab Security Center


Shade Ransomware Shades into an Email


As ransomware evolves, attack methods are becoming increasingly diverse. Recently, the ransomware variant known as Shade was found to have disguised itself as an email attachment that appeared to be a scanned document from an all-in-one printer.


Though email has revolutionized communication by saving time and increasing convenience, its widespread use for the transmission of sensitive data (such as contracts and certificates) poses certain risks. Most notably, it has been a common entry point for malware. The recent Shade attacks have targeted recipients of emails sent from all-in-one printers encrypting important files on the infected systems, such as contracts and classified documents.


Shade is disguised as an email from an all-in-one printer as shown in Figure 1.. 


[Figure 1] Malware disguised as an email with scanned document


Because the sender’s address implies domain of the recipient, noreply@[domain of recipient], the message appears innocuous and is more likely to be opened. If the recipient clicks on the attached Word file, a pop-up message appears asking for a password.



[Figure 2] Pop-up message requesting password


Often when malware is disguised as a Word file, no password is demanded; in this case, however, a password was set to avoid detection. The password was provided in the body of the email to be manually entered by the recipient. Once the recipient retyped it, a macro within the document would immediately download and run Shade ransomware.



[Figure 3] Downloaded ransomware execution file


When Shade is executed, a batch file is created. This batch file deletes all the recorded shadow copies, the remote desktop connection history, and all the Windows event logs that contain the restore points.


Then Shade encrypts the files in the infected system and changes files’ extensions. Most file types, such as those ending in EXE and ZIP, as well as Microsoft Office files (ending in DOC, PPT, XLS, TXT), are targeted for encryption. Once encryption is complete, Shade deletes itself to destroy the evidence.



[Figure 4] File extensions before encryption (left) and after (right)



[Figure 5] Ransom note of Shade


One of the basic and important countermeasures against these threats is to use and update a proper Anti-virus software. V3, the internationally certified AhnLab’s anti-virus program, detects and remediate the relevant ransomware. 


When it comes to corporation’s security, it is recommended to implement Advanced Persistent Threat (APT) solution that detects and responds to e-mail based attacks. 


AhnLab’s Advanced Persistent Threat (APT) solution, AhnLab MDS, counters such malware attacks by employing Mail Transfer Agent (MTA) mode. In this mode, AhnLab MDS detects, analyzes, and quarantines potentially malicious emails, thereby responding effectively not only to advanced spear-phishing email attacks, but also to email-based ransomware.


To learn more about AhnLab MDS, please visit ahnlab.com.  ​​


Aliases identified by AhnLab solutions are as below.

<Aliases identified by AhnLab V3>

- Malware/W97M.Downloader

- Trojan/Win32.Globeimposter


<Aliases identified by AhnLab MDS>

- Malware/W97M.Downloader

- Malware/MDP.Ransomware​