New Shrug Ransomware Variant Detected

Shrug ransomware was first detected in early July. Now a new variant of this .NET ransomware variant has been detected, which has enhanced capabilities.

Shrug ransomware was primarily distributed bundled with fake software and apps, although the infection vector for the latest version is not known. Phishing emails, RDP attacks, and drive-by downloads may also be used in addition to fake software.

Shrug2 ransomware was detected by researchers at Quick Heal Security who analyzed its mode of operation. One of the first processes completed is a check for an internet connection. The ransomware then checks the registry to determine whether the computer has already been infected. If not, a ‘ShrugTwo’ registry entry is created and the creation time and date is used as the basis for how long the user has to pay the ransom.

The researchers determined the new variant of Shrug ransomware searches for 72 different files extensions. First, files are enumerated and a list is created of the files that will be encrypted – named FilesToHarm. The list is used for both encrypting and decrypting files. Files are then encrypted using an AES256 algorithm, and files are given the shrug2 extension. The ransomware also deletes restore points to prevent recovery without paying the ransom.

A ransom note is dumped on the desktop – named @ShrugDecryptor@ – which demands a payment of $70 in Bitcoin in exchange for the key to decrypt files. The ransom demand is substantially lower than many ransomware variants, which increases the probability of a victim paying to recover their files.

There is currently no free decryptor for Shrug2 ransomware. Recovery without paying the ransom will depend on a valid backup having been made prior to file encryption. The researchers note that the ransomware is capable of deleting files if the ransom is not paid on time ensuring recovery will not be possible.

As with other forms of ransomware, standard security best practices should be followed. Backups should be made regularly, with multiple copies created. At least one copy should be saved on a device that is not connected to the Internet.

Regular vulnerability scans should be performed and software should be kept patched and fully up to date. Antivirus software should be installed, a firewall should be used, spam filtering solutions deployed, and a web filter used to prevent malicious websites from being accessed. Strong, unique passwords are a must and RDP should be disabled if not required. If needed, RDP connections should only be possible via a VPN.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of