New Shrug Ransomware Variation Found

August 15, 2018


Shrug ransomware was first noticed in early July. Now a new variation of this .NET ransomware variation has been found, which has increased capabilities.

Shrug ransomware was mainly distributed bundled with bogus software and applications, even though the infection route for the latest edition is unknown. Phishing electronic mails, RDP attacks, and drive-by downloads might also be used besides fake software.

Shrug2 ransomware was found by scientists at Quick Heal Security who examined its method of operation. Among the first procedures finished is a check for an internet link. The ransomware after that checks the registry to decide whether the computer has already been infected. If not, a ‘ShrugTwo’ registry entry is generated and the generation time and date are used as the basis for how long the user has to pay the ransom.

The scientists established the new variation of Shrug ransomware searches for 72 different records extensions. First, records are numbered and a list is generated of the files that will be encoded – called FilesToHarm. The list is used for both encrypting as well as decrypting records. Records are then encoded using an AES256 algorithm, and records are given the shrug2 extension. The ransomware also erases restore points to avoid recovery without paying the ransom.

A ransom note is put on the desktop – named @ShrugDecryptor@ – which orders a payment of $70 in Bitcoin in return for the key to decrypt records. The ransom demand is considerably lower than several ransomware variations, which enhances the possibility of a sufferer paying to recover their records.

There is presently no free decryptor for Shrug2 ransomware. Retrieval without paying the ransom will depend on a legal backup having been made before file encryption. The scientists note that the ransomware is capable of erasing records if the ransom is not paid on time making sure retrieval will be impossible.

As with other types of ransomware, typical safety best practices must be followed. Backups must be made regularly, with several copies generated. At least one copy must be saved on an appliance that’s not linked to the Internet.

Normal weakness scans must be carried out and software must be kept repaired and completely up to date. Antivirus software must be installed, a firewall must be used, spam sieving solutions installed, and a web filter used to avoid malevolent websites from being retrieved. Strong, exclusive passwords are a must and RDP must be deactivated if not needed. If needed, RDP connections must only be possible through a VPN.