Shrug ransomware first appeared in the wild on July 6, and comes embedded in fake software and gaming apps. Those who get tricked into downloading and running the file-encrypting malware are met with an extensive and mocking ransom note penned by an attacker calling themselves Martha.
"I know what you're thinking. "What happened?" Well the answer is quite simple. Before I tell you, promise you will not get mad. Okay. Your PC was a victim of a Ransomware attack", the message begins, before going onto demand $50 in Bitcoin in return for decrypting the files.
Like many forms of ransomware, Shrug provides the victim with instructions on how to buy and transfer Bitcoin, as well as a threat that all files will be permanently destroyed in three days' time if the ransom isn't paid. Encrypted files are locked with a .SHRUG extension -- and the ransomware note is topped with the popular emoticon for shrugging.
Shrug uses a random key generation for each user -- but researchers at cyber security company LMNTRIX have found that authors left the keys needed to unlock the files in the directory, unintentionally enabling victims to retrieve their files without paying the ransom. The keys were found embedded in the registry, completely unencrypted.
In order to decrypt Shrug ransomware, researchers say victims need to restart the machine to terminate the process that the ransomware uses to lock the mouse and keyboard.
Following that, they need to open File Explorer and enter the Shrug ransomware installer path: C:\Users\USERNAME\AppData\Local\Temp\shrug.exe. From there, users can perform a permanent delete of the shrug.exe installer file by pressing Shift and Delete.
Next, they need to open the RUN app on Windows by typing 'RUN' in the Windows search panel, then enter 'Regedit' in order to get to the registry and enter HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Users can then identify the key value titled 'Shrug', which can be deleted. Finally, they need to clear it from the recycle bin, restart the machine, and then the ransomware is removed.
The nature of Shrug suggests that it's likely a first attempt to build ransomware by low-level cyber criminals who don't have the necessary abilities to make their wares truly effective.
"The developers are newbies. While showing some technical skill, we assume they're new to the ransomware criminal market and this could be one of their first campaigns," Bipro Bhattacharjee, lead threat researcher at LMNTRIX, told ZDNet.
The low value of the ransom demand could also indicate that the attackers themselves aren't confident in a product they might see as a work in progress.
"We have two theories on why the ransom was so low. The first is that this could be a live-test of the ransomware, the other is the developers are in dire financial need and have left a low amount to encourage more people to pay," Bhattacharjee added.
While researchers have cracked how to retrieve files encrypted by Shrug for free, the best means of defence against this and other forms of ransomware is not becoming infected in the first place.