Shrug ransomware victim? Here's how to retrieve your locked files for free

'Newbie' malicious developers have had a go at building and distributing ransomware -- but their mistakes mean damage can be avoided.
Written by Danny Palmer, Senior Writer

Video: Ransomware remains a potent threat to businesses

A new form of ransomware is being distributed through drive-by attacks, but victims can retrieve their locked files for free due to mistakes in the attack's code.

Shrug ransomware first appeared in the wild on July 6, and comes embedded in fake software and gaming apps. Those who get tricked into downloading and running the file-encrypting malware are met with an extensive and mocking ransom note penned by an attacker calling themselves Martha.

"I know what you're thinking. "What happened?" Well the answer is quite simple. Before I tell you, promise you will not get mad. Okay. Your PC was a victim of a Ransomware attack", the message begins, before going onto demand $50 in Bitcoin in return for decrypting the files.

Like many forms of ransomware, Shrug provides the victim with instructions on how to buy and transfer Bitcoin, as well as a threat that all files will be permanently destroyed in three days' time if the ransom isn't paid. Encrypted files are locked with a .SHRUG extension -- and the ransomware note is topped with the popular emoticon for shrugging.


The Shrug ransom note.


Shrug uses a random key generation for each user -- but researchers at cyber security company LMNTRIX have found that authors left the keys needed to unlock the files in the directory, unintentionally enabling victims to retrieve their files without paying the ransom. The keys were found embedded in the registry, completely unencrypted.

In order to decrypt Shrug ransomware, researchers say victims need to restart the machine to terminate the process that the ransomware uses to lock the mouse and keyboard.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

Following that, they need to open File Explorer and enter the Shrug ransomware installer path: C:\Users\USERNAME\AppData\Local\Temp\shrug.exe. From there, users can perform a permanent delete of the shrug.exe installer file by pressing Shift and Delete.

Next, they need to open the RUN app on Windows by typing 'RUN' in the Windows search panel, then enter 'Regedit' in order to get to the registry and enter HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

Users can then identify the key value titled 'Shrug', which can be deleted. Finally, they need to clear it from the recycle bin, restart the machine, and then the ransomware is removed.

The nature of Shrug suggests that it's likely a first attempt to build ransomware by low-level cyber criminals who don't have the necessary abilities to make their wares truly effective.

"The developers are newbies. While showing some technical skill, we assume they're new to the ransomware criminal market and this could be one of their first campaigns," Bipro Bhattacharjee, lead threat researcher at LMNTRIX, told ZDNet.

The low value of the ransom demand could also indicate that the attackers themselves aren't confident in a product they might see as a work in progress.

"We have two theories on why the ransom was so low. The first is that this could be a live-test of the ransomware, the other is the developers are in dire financial need and have left a low amount to encourage more people to pay," Bhattacharjee added.

While researchers have cracked how to retrieve files encrypted by Shrug for free, the best means of defence against this and other forms of ransomware is not becoming infected in the first place.

Now read: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness(Tech Pro Research)

In the case of Shrug, a good form of protection is to only download software from legitimate sources, so as to avoid the drive-by downloads.

Despite ransomware not being as popular as it was last year, well-resourced, effective cyber criminal groups are still successfully making large amounts of money from distributing this form of malware.

Recent and related coverage

This old ransomware has been revamped as Bitcoin-stealing malware

Jigsaw appears to be back with new malicious intentions, with a simple-but-effective trick to go after crypto-currency.

Unlucky dip: This malware delivers either ransomware or cryptocurrency mining software to your PC

Rakhni Trojan has evolved to examine the infected PC to determine which form of malware will be best to install.


Editorial standards