Black Shades targets Windows OS and, although the current distribution method has not yet been verified, it is believed to be distributed as fake videos, cracks, and patches. Once it is executed on a system, it deletes Shadow Volume Copies to prevent file restoration. Black Shades then determines the victim’s IP address, creates a unique victim ID, and checks for Internet access. If it is unable to connect to the website http://icanhazip to verify the victim’s IP address, the program will crash. It encrypts targeted files using AES-256 and drops a file containing the victim ID, named YourID.txt, in each folder. Black Shades appends all encrypted files with the extension .silent and keeps a running tally of files on its C2 server. After the encryption process is completed, Black Shades attempts to delete itself from the infected system. This variant is unique in that its ransom demand is very low at $30 USD and it accepts payment via both PayPal and Bitcoin.
- Bleeping Computer provides more information about Black Shades here.
- The NJCCIC is not aware of any decryption tools available for Black Shades.