Shrug ransomware victims can now decrypt their files for free

Shrug, a new form of ransomware that was first spotted on the 6th of July, had a massive flaw in its code, allowing cybersecurity researchers to dismantle it and decrypt the locked files for free.

Originally, the ransomware emerged in fake software and gaming apps. Those unfortunate enough to get tricked into executing them were greeted by a mocking ransom note from an attacker referring to themselves as Martha.

In order to decrypt the files, the victims were asked to send $50 worth of Bitcoin, which is a relatively modest amount compared to the norm with other ransomware variants. In order to motivate the victim even more, there was a countdown timer threatening to destruct files if the ransom is not paid quickly enough.

To ensure a smooth transaction, the attacker has also left a note explaining how to acquire and transfer Bitcoin. All the encrypted files have a .SHRUG extension.

Thanks to the efforts of LMNTRIX, a cybersecurity company, it was discovered that the keys needed to decrypt them are embedded in the registry of the victim’s computer, without any kind of encryption whatsoever.

According to Bipro Bhattacharjee, lead threat researcher at LMNTRIX, the developers appear to be relative newcomers to the ransomware criminal market. The relatively low ransom demand could indicate either a dire financial need or simply a live test of the ransomware.

So, what’s the lesson to be learned? Don’t download software from unverified sources.

The complete Shrug removal procedure is thoroughly explained in the LMNTRIX blog.