What is Shrug ransomware? And how does it execute its attack?
Shrug ransomware is one of the latest ransomware discovered on July 6, 2018. This new crypto-malware is one of those typical ransomware infections that only implement a basic ransomware attack. It begins to execute its attack by employing a data gathering module that records all sensitive data in the machine including the user’s data. The data it collects will be processed and used by another component called stealth protection which counters any security programs found in the infected computer to make sure that nothing’s going to stop Shrug ransomware in completing its attack. It then makes modifications in the Windows Registry to achieve persistence and make it hard for victims to terminate it from their PCs.
It then looks for its targeted data and uses a strong encryption algorithm in locking them. It uses the .SHRUG extension in marking its encrypted files. After the encryption, it locks the computer screen which prohibits victims from accessing their computers. The note on the screen states:
“Oh shit waddup ¯\_(ツ)_/¯
—
I know what you’re thinking. “What happened?”
Well, the answer is quite simple. Before I tell you, promise me you will not get mad. Okay. Your PC was a victim of a Ransomware attack.
That means every important file is now encrypted and you can’t access them. Oh, and there is this screen locker too. You don’t have access to your PC anymore.
What a shame, huh?
There is only one way to get your stuff back. $50. It isn’t that much, cmon! I’ll give you instructions on how to pay. Alright. To successfully pay the ransom and unlock all your sh*t, you will need Bitcoins. But wait, it is only 50 USD in Bitcoins, no worries. Nothing to worry about. You can buy it on the internet.
Oh, and don’t even Google “how to remove a ransomware” because it will not help. When buying Bitcoins you will need a wallet. You can create one at a website called Blockchain. Now find a way to buy 50 USD in BTC. Google is your friend.
Then you must send the Bitcoins to the wallet specified in the right of the screen. After that, write your wallet inside that text box and finally click the button “I paid!”. Wait some time until I confirm your payment and fix your files.
– Martha”
If you are one of the victims of Shrug ransomware, you must not pay the demanded ransom as the files encrypted by this crypto-malware are totally decryptable. But before you do file recovery, you need to terminate Shrug ransomware first.
How does Shrug ransomware proliferate?
Shrug ransomware proliferates using spam emails so you need to double check any emails you receive before opening them as it could contain the malicious payload of Shrug ransomware.
To terminate Shrug ransomware, refer to the following removal guide.
Step 1: Tap the Ctrl + Alt + Delete keys to open a menu and then expand the Shutdown options which is right next to the power button.
Step 2: After that, tap and hold the Shift key and then click on Restart.
Step 3: And in the Troubleshoot menu that opens, click on the Advanced options and then go to the Startup settings.
Step 4: Click on Restart and tap F4 to select Safe Mode or tap F5 to select “Safe Mode with Networking”.
Step 5: After your PC has successfully rebooted, tap Ctrl + Shift + Esc to open the Task Manager.
Step 6: Go to the Processes tab and look for the process named “Shrug.exe” as well as any suspicious-looking process that could be related to this crypto-malware and then end its process.
Step 7: Exit the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 8: From the list of installed programs, look for any unknown and dubious program that could be related to the Shrug malware and then uninstall it.
Step 9: Close Control Panel and tap Win + E keys to open File Explorer.
Step 10: Navigate to the following locations and look for the malicious components of Shrug like “Shrug.exe” and then delete them all.
- %TEMP%
- %APPDATA%
- %Userprofile%\Robin
- %Userprofile%\Cerber
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name] this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 12: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 13: Navigate to the listed paths below and look for the registry keys and sub-keys created by Shrug.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
- HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
- HKEY_CURRENT_USER\Control Panel\Desktop
Step 14: Delete the registry keys and sub-keys created by Shrug.
Step 15: Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Volume Shadow copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Shrug ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Once you’re done executing the steps given above, you need to continue the removal process of Shrug ransomware using a reliable program like [product-name]. How? Follow the advanced removal steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box ill show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.
- After the scan is completed click the “Fix, Clean & Optimize Now”button.