author photo
By Bruce Sussman
Wed | Apr 29, 2020 | 7:15 AM PDT

Do hackers ever experience a change of heart? 

It appears the operators of Shade ransomware just did, because they announced they're giving away more than three-quarters of a million ransomware decryption keys.

And they posted a very personal apology note, as well.

Shade ransomware shutdown and apology

On GitHub, the "Shade-Team" posted a contrite ransomware note that concludes with this message:

"We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data."

Free ransomware decryption keys

Like a store going out of business and liquidating everything, the operators of Shade ransomware also explained that everything must go, for free:

"We are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all).

We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools.

All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed."

In other words, if you have data that remains encrypted by Shade ransomware, there is a really good chance you will soon be able to decrypt it for free. 

The ransomware group then offers a detailed step by step guide to decrypting Shade ransomware, but this may include disabling your anti-virus.

A safer bet is to follow the instructions on the No More Ransom Project on decrypting Shade ransomware. It offers two free decryption tools. Kaspersky Lab created one of them, Intel Security the other.

Why would criminals shut down their own kind of ransomware?

We don't know the motivation behind this hacker group's change of heart. But here are some possibilities:

1. The hackers may believe they are close to getting caught by law enforcement.

In his book "Ghost in the Wires," hacker Kevin Mitnick describes a number of occasions where he and his fellow hackers would back away from their exploits if they sensed law enforcement was closing in.

In most cases, this turned out to be a brief sabbatical from hacking, followed by a return to cybercrime and social engineering.

And do you remember the teenager hacker who announced his retirement when he was sure law enforcement was closing in? That's another example.

2. The hackers may have a more profitable venture in the works.

Criminal groups sometimes go quiet for months at a time because they are working on new attack tools, and then they suddenly make headlines when their new exploits are deployed—new exploits to make more money.

I recently interviewed the author of "Hunting Cyber Criminals," Vinny Troia. In the book, he discusses his technique of using aliases to regularly communicate with cybercriminals. He explains the number one motivation of hackers.

"I mean, money, always money, money.

Obviously, there's the hunt and the kill, right? So they love being able to hack different websites and the notoriety of being able to do it. I think notoriety is a big thing, also, being able to have their name associated with this, you know, monster hack or whatever.

But look, at the end of the day, they're looking for money."

Of course, maybe the Shade ransomware operators made so much money with the attacks that they don't need anymore. That's why the GrandCrab ransomware operators said they were quitting in 2019. They claimed to be holding some $2 billion in ransoms.

"We successfully cashed this money and legalized it in various spheres of white business both in real life and on the Internet," the GandCrab crew bragged. "We are leaving for a well-deserved retirement. We have proved that by doing evil deeds, retribution does not come."

But for many cybercriminals, it's likely that opportunity will come calling again down the road, leading to future cybercrime exploits.

Related cybercrime podcast episodes

If you are interested in stories like this one, you'll really enjoy these two podcast episodes.

The first one is about how hackers and cybercriminals operate. The second one is about a volunteer group of cyber defenders who are fighting back. Listen here or on your device's podcast app.

You can see all of our podcast episodes here.