Home Security
PC Matic
PC Matic VPN
More Products
Support Unlimited
Identity Theft Protection
PC Magnum
Threat Awareness
How PC Matic Protects You
SuperShield Whitelist
Compare PC Matic
Norton
McAfee
Avast
AVG
Business Protection
PC Matic Pro
PC Matic MSP
Solutions
Allowlisting
Script Enforcement
Device Control
Patch Management
Remote Tools
Integrations
Server Security
Learn More
Resellers
Affiliates
Resources
Case Studies
Compare PC Matic Pro
ThreatLocker
Airlock Digital
VMware Carbon Black
AppLocker
For Federal
Partner Programs
Managed Service Providers
Channel Partners
Affiliate Partners
OEM Partners
Resource Center
All Resources
Case Studies
Data Sheets
User Guides
White Papers
Blog Resources
PC Matic Blog
Business Security
Home Security
Cyber News
Scam Alerts
Customer Service
Home Support
Business Support
Learn More
Getting Started
Knowledgebase
Tech Support Scams
Fake Virus Scams
Tools & More
Ransomware Center
Internet Speed Test
PC Matic
About
Careers
Learn More
Industry Recognition
Leadership
Commercials
Stay Up-to-Date
Newsroom
Blog
Events
TechTalk Podcast
Home Customers
My Account
PC Matic App
Add a Device
Renew Subscription
Business Customers
Business Login
Business Support
Search

BlackShades Ransomware Authors Leave Digital Crumbs Behind

I recently analyzed a new ransomware, called BlackShades, which left me scratching my head, as to why the author was leaving digital evidence of who they actually are…

BlackShades is a ransomware, which currently charges $30 USD to decrypt the files it encrypts.  It has been seen targeting Russian and US based computers.

One of the mistakes that the author made was accepting ransomware via PayPal. PayPal can directly tie the individual to their bank account, and can identify the person behind the screen, based off of personally identifiable information.

blackshades

When you create an account with PayPal, they ask for some personally identifiable information, such as your name and where you live. However, that information can be easily faked. I create an account for “Bob Jones”, added some fake information, and was soon granted access to Paypal.com.

blackshades1

However, this only gets me so far. If I want to transfer money out of PayPal, I need to tell them where I want the money to go to. In this case, I need to provide them information to my bank account. This information can also be tracked back to the owner of the account.

blackshades2

As if this wasn’t a bad enough choice in designing the ransomware, the author also hosted the decrypter service on a US based network, HostWinds. Due to the laws in the US, it would be very easy for someone in law enforcement to get a warrant for HostWinds to inspect the server, to see who is connecting to it, etc.

blackshades3

It also seems that the author of this ransomware is taunting security researchers. While this isn’t something we haven’t seen in the past, it does make the security researchers want to put a bit more time and effort into not only disrupting the attack, but also attributing it to a specific person. The idiom “don’t stir up the hornets’ nest” is true in this case.

Lastly, we know from the poor Russian translation and the poorly written English instructions that the person is not a native Russian or English speaker. It seems that they’ve used some online translations to come up with the instructions for how to pay them, to decrypt the files.

blackshades4

If you’d like more information about BlackShades, you can see a well written write-up by Lawrence Abrams on Bleeping Computer.

 

Stop Responding to Threats.
Prevent Them.

Get Protected

Want to get monthly tips & tricks?

Subscribe to our newsletter to get cybersecurity tips & tricks and stay up to date with the constantly evolving world of cybersecurity.

Related Articles