BlackShades Crypter Ransomware

BlackShades Crypter Ransomware is one sneaky infection that slithers in and performs malicious actions without alerting the user. After it is done with its main task – which is encrypting personal files – it does not show a pop-up notification or replace your Desktop wallpaper with the message. Instead, it creates files containing some information, and it is up to the user to find them and figure out what is going on. In fact, according to our research team, there are only two ways that users can detect this threat. They either detect the files and folders created by this infection, or they discover the encrypted files with the ".silent" extension (e.g., example.jpg.silent). If executed successfully, it encrypts documents, media files, and other personal files that are impossible to replace, unless you have backups. Needless to say, removing BlackShades Crypter Ransomware is crucial, but there are a few other things you need to figure out before that.

Do you know how BlackShades Crypter Ransomware is distributed? Do you understand why it is important to know this? The distribution of this threat reveals the vulnerability within your operating system, and you need to fix it to ensure that other dangerous threats cannot attack in the future. Based on our research, we believe that the main source of distribution is corrupted spam email attachments. Cyber criminals can use mass spam email attacks using the email addresses collected by unreliable programs (e.g., via fake surveys), or they can hijack personal email accounts to spread corrupted emails on a more personal level. In the case of BlackShades Crypter Ransomware, it is more likely that it will be spread to random addresses, and the corrupted file is likely to be camouflaged as invoice or a document file. Once opened, the ransomware is silently executed, and it proceeds to create files.

The devious, clandestine BlackShades Crypter Ransomware copies itself into two different directories: %APPDATA%\Windows and %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. In both of these directories, the malicious .exe files have the same name, which, in the long run, makes it easier to detect and delete them. According to our research, the file in the %APPDATA%\Windows directory also creates a point of execution (“Driver”) in HKCU\Software\Microsoft\Windows\CurrentVersion\Run that, of course, also must be removed. Additionally, the ransomware creates three different files: YourID.txt and Ваш идентификатор, both of which provide a unique user ID that is required for the requested payment, as well as Hacked_Read_me_to_decrypt_files.Html. This file represents the demands of the creators of the malicious ransomware. Here are a few excerpts:

You have been strucked with BlackShades Crypter
Your files were protected by a strong encryption with RSA 4096.

You need to follow ones of this steps:
* Visit this website and follow the steps to decrypt your files.
* Send 30$ = 0.0700 Bitcoin to this account >> {account number} and then contact silentshades@protonmail.com with your confirmation of your money transaction.

Needless to say, BlackShades Crypter Ransomware has not “protected” your personal files. This threat has hijacked them making it impossible for you to “read” them. Unfortunately, because it is personal files, users are likely to pay the relatively low ransom – compared to other ransomware threats that often demand 1-3 Bitcoin ransoms, such as Saraswati Ransomware – to get them back. Have you found a third-party decryption tool that has promised to decrypt your files for free or for a lower price? Be careful because fictitious decryption tools could be designed by cyber crooks to extort even more money from you or disguise other malicious infections. Are you thinking about paying the ransom? The good news is that it is extremely low compared to what other similar ransomware infections are demanding. The bad news is that ransomware cannot be trusted, and it is possible that files will remain encrypted regardless of a successful payment.

Unfortunately, you cannot just uninstall ransomware, and the processes required to have BlackShades Crypter Ransomware deleted are a little more complicated. If you are experienced, it should not take long to erase the files and the registry data associated with this ransomware, but if you are not experienced, the operation can be quite tricky. First, you need to identify the malicious file, and because its name is random and unpredictable, identifying it can be complicated. If you believe you are ready, use the guide below. Of course, just as we mentioned already, your operating system is vulnerable if ransomware manages to slither in, and you need to fix this as soon as possible. We advise implementing anti-malware software to have it taken care of.

BlackShades Crypter Ransomware Removal

1. Tap Win+E keys together to launch Explorer.
2. Enter %APPDATA% into the address bar and open the Windows folder.
3. Delete the ransomware file with a random name (e.g., win.exe).
4. Enter %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ into the address bar (if you use Windows XP, enter %ALLUSERSPROFILE%\Start Menu\Programs).
5. Repeat step 3 to remove the second copy of the malicious file.
6. Delete the file called Hacked_Read_me_to_decrypt_files.Html (the copies of this file can be found in other directories and folders on your PC, and you need to delete them as well).
7. Tap Win+R keys to launch RUN.
8. Type regedit.exe and click OK to launch Registry Editor.
9. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
10. Delete the value named Driver (check the value data to see if it is associated with ransomware).