New Shrug Ransomware Variant Discovered

August 15, 2018


Shrug ransomware was first noticed in early July. Now a new variation of this .NET ransomware variation has been detected, which has increased capabilities.

Shrug ransomware was mainly dispersed bundled with false software and apps, even though the infection vector for the latest variety is unknown. Phishing electronic mails, RDP attacks, and drive-by downloads might also be utilized besides bogus software.

Shrug2 ransomware was noticed by scientists at Quick Heal Security who examined its way of operation. One of the first processes completed is a check for an internet connection. The ransomware after that verifies the registry to decide whether the computer has already been infected. If not, a ‘ShrugTwo’ registry entry is generated and the creation time and date are utilized as the basis for how long the user has to pay the ransom.

The scientists verified the new variation of Shrug ransomware searches for 72 different files extensions. First, files are counted and a list is generated of the files that will be encrypted – named FilesToHarm. The list is utilized for both encrypting and decrypting files. Files are then encrypted utilizing an AES256 algorithm, and files are given the shrug2 extension. The ransomware also erases restore points to avoid recovery without paying the ransom.

A ransom note is left on the desktop – named @ShrugDecryptor@ – which requires a payment of $70 in Bitcoin in exchange for the key to decrypt files. The ransom demand is considerably lower than many ransomware variations, which enhances the possibility of a sufferer paying to recover their files.

There is presently no free decryptor for Shrug2 ransomware. Recovery without paying the ransom will depend on a legal backup having been made before file encryption. The scientists note that the ransomware is capable of erasing files if the ransom is not paid on time making sure recovery will not be possible.

As with other types of ransomware, standard security best practices must be adhered to. Backups must be made frequently, with several copies created. At least one copy must be saved on an appliance that is not linked to the Internet.

Regular weakness scans must be carried out and software must be kept patched and completely up to date. Antivirus software must be installed, a firewall must be used, spam filtering solutions positioned, and a web filter used to avoid malevolent websites from being retrieved. Strong, unique passwords are a must and RDP should be disabled if not needed. If required, RDP connections should only be possible through a VPN.