The Shrug Ransomware: The Laziest Attempt Ever?

Usually, a ransomware infection is a good reason to panic. But if you're hit by this sloppily made ransomware, you can 'shrug' it off with ease.

There’s some truly terrifying ransomware strains out there, but the latest addition to the pile – the “Shrug” ransomware – is not one of them.

Due to a lack of attention to detail, the ransomware makers left something crucial in the final strain – the keys to unlock all the infected victim’s files.

Shrug made its appearance on July 6, appearing trojan-style in fake software and gaming apps. Infected victims had their files locked down and a ransom note delivered from a mysterious “Martha”.

The message reads thusly: “I know what you’re thinking. ‘What happened? Well the answer is quite simple. Before I tell you, promise you will not get mad. Okay. Your PC was a victim of a Ransomware attack.”

The ransom is a whopping… $50 in bitcoin. True to typical ransomware form, Shrug (or Martha) provides its victims with some instructions and a threat to delete all the files in three days if ransom isn’t paid. Ho hum.

But the way to uninfect yourself is incredibly simple if you know how, so you don’t have to be one dinner date out of cash.

Here are the instructions from ZDNet:

In order to decrypt Shrug ransomware, researchers say victims need to restart the machine to terminate the process the ransomware uses to lock the mouse and keyboard.

Following that, they need to open File Explorer and enter the Shrug ransomware installer path: C:\Users\USERNAME\AppData\Local\Temp\shrug.exe. From here, users can perform a permanent delete of the ‘shrug.exe’ installer file, by pressing Shift and Delete.

Next, open the RUN app on Windows by typing “RUN” in the Windows search panel, then enter “Regedit” in order to get to the Registry and enter HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

Users can then identify the key value titled “Shrug” which can be deleted. Finally, clear it from the recycle bin, restart the machine and then the ransomware is removed.

Share on email
Share on print
Share on facebook
Share on google
Share on twitter
Share on linkedin



Start your free 30-day trial today