Hackers retire Troldesh ransomware and release 750,000 decryption keys
The team behind the malware has mysteriously shut it down just months after spearheading an explosion in activity
A prominent hacking outfit that deployed the ransomware known as Shade, or Troldesh, to devastating effect has “irrevocably destroyed” the Trojan and released 750,000 decryption keys.
The cyber criminals behind the malware confirmed they retired the prominent ransomware towards the end of last year after six years of activity and have apologised to victims, offering no explanation as to why. An expert with Kaspersky has confirmed the decryption keys as being genuine.
The Trojan, which made up 6% of all ransomware attacks in 2017, experienced a massive increase in detections from the fourth quarter of 2018 to the first quarter of 2019, spiking in February last year, according to Malwarebytes. This was among the most, if not the most, widely distributed malware in the first half of the year.
Those spearheading Troldesh campaigns, however, have now unexpectedly released 750,000 decryption keys, as well as its “decryption soft”, in the hope that cyber security companies can develop intuitive decryption tools.
“We are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019,” the now-former hackers said in a GitHub post. “Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all).
“All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.”
RELATED RESOURCE
Decade of the RATs - remote access trojans
Cross-platform APT espionage attacks targeting Linux, Windows and Android
Troldesh typically spread through malicious email attachments, normally zip files presented as something the victim must open quickly. The extracted zip was a Javasript that then downloaded the payload, which was hosted on sites with a compromised content management system (CMS).
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
The ransomware is thought to have been organised by Russian hackers, given the notes were often written in both English and Russian.
The cyber criminal group has offered no explanation as to why it decided to shut down its ransomware towards the end of 2019.
It’s impossible not to draw associations with the fact that Troldesh activity exploded suddenly and exponentially earlier in the year, well beyond recorded levels since it was first spotted in 2014.

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
Netgear launches next-gen platform and says it's quality vs quantity re partner engagementNews This is a significant launch, according to the company, and one that aligns with its overarching goal to simplify complexity...
-
What users can expect with Claude Sonnet 5News Claude Sonnet 5 comes with intuitive agentic capabilities, performance boosts, and cost-efficient ‘effort levels’
-
‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolenNews An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recoveryNews Few manage to recover all their data, and many experience business disruption
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes