Over the last two weeks, the Kelihos spam botnet has been busy spreading the latest version of the Shade ransomware (also known as Troldesh), which now appends the ".no_more_ransom" extension at the end of each encrypted file.

Their gesture is a sign of irony, as the NoMoreRansom project has released a free decrypter over the summer that can help victims unlock files encrypted by this threat.

Shade ransomware uses JS files for the first time

This most recent campaign used the Kelihos botnet to send the spam messages that spread this threat. For this particular campaign, according to Arsh Arora, a malware analyst and Ph.D. researcher at the University of Alabama at Birmingham, crooks used emails that contained a malicious downlaod link.

The link downloaded a zipped JavaScript (JS) file or a Word document. If executed, the JS file would download and install a version of the Shade ransomware, while the Word document would use macros to the same thing.

Researchers noted that this was the first time they've seen Shade use JS files to infect victims. Most of this spam disguised as credit and banking-related emails.

Shade ransomware wallpaper
Shade ransomware wallpaper (Credit: Arsh Arora, Gary Warner)
Shade ransom note
Shade ransom note (Credit: Arsh Arora, Gary Warner)

The ransomware used a Gmail address for getting in contact with the crooks, but also a website on the Dark Web for handling ransom payments. At the time of writing, the website was down.

Ransomware also downloaded and installed Pony infostealer

In some infections, Arora says that Shade also installed the Pony malware, an infostealer that can find, extract, and exfiltrate data such as browser passwords, system details, and browsing history.

This is not the first time when Shade downloaded an additional malware. In August, the ransomware was downloading the Teamspy remote access trojan (RAT).

Crooks used the RAT to detect if they infected a valuable target and stole valuable data from the local PC or the company's network.

Kelihos botnet becomes active player in ransomware distribution

Besides the Shade ransomware spam, Arora says the Kelihos botnet was also seen delivering dating spam to Polish users and money mule spam to US users. The money mule spam was a cleverly designed message that tried to trick US users into relaying mysterious packages sent from China, most likely part of a criminal operation.

The Kelihos botnet, also known as Waledac, has become one of the primary sources for ransomware spam in the last few months.

The botnet was most recently used to deliver ransomware families such as Wildfire, Hades Locker, CryptFIle2 (or CryptMix) and MarsJoke (or JokeFromMars). The botnet also spammed banking trojans such as Panda Zeus, Nymain and Kronos.

Kelihos became a threat to be reckoned with in August when it tripled its size in just 24 hours.

Kelihos botnet activity on August 22
Kelihos botnet activity on August 22 (Source: MalwareTech)