What is Shrug2 ransomware? And how does it carry out its attack?

Shrug2 ransomware is a generic file-encrypting Trojan which appears to be a new variant of Shrug ransomware which was discovered not too long ago. This new variant is almost the same as the previous one except that it now uses a new Command and Control server configuration as well as new extension.
Once it is able to infiltrate a computer, it will begin to carry out its attack by dropping its malicious payload which is used to connect the computer to a remote Command and Control server controlled by the attackers. After establishing a connection, it then downloads its malicious components from the server and places them on system folders. It also employs a data gathering module used to harvest information from the infected PC. The harvested data along with the malicious components are then used for stealth protection to avoid any programs in the computer that might interrupt its attack. After that, it modifies the Windows Registry to be able to run on every system boot. Following these changes, Shrug2 ransomware will begin to encrypt its targeted files and append the .shrug2 extension to each one of them. Once it completes the encryption, it opens a program window with a mocking image at the expense of the victim. The program window contains the following message:
“Oops! Your files have been encrypted
Are you proud of me,
papa WannaCry?
momma NotPetya?
What happened?
Your important files have been encrypted. Many of your documents, pictures, videos, databases, scripts, codes, presentations are no longer accessible because they have been encrypted. Maybe you’re busy looking for a way to recover your stuff but don’t waste your time. Nobody can do that without our decryption service.
Can I recover my files?
Of course! We guarantee that you can recover all your files safely and quickly. But you don’t have too much time. If you want to decrypt everything, you will need to pay. You only have 3 days to submit the payment otherwise all your files will be PERMANENTLY deleted. Lost. Forever.
Payment is accepted in Bitcoin only.
Send $70 worth of Bitcoin to:
How does Shrug2 ransomware spread online?
Shrug2 ransomware may spread using malicious spam email campaigns which are attached with an infected file. The infected file may be an executable file or a document with macro scripts that once opened, will run command to install Shrug2 ransomware into the computer. Thus, you must double check emails first before you open their attachments as they could contain the malicious payload of ransomware threats like Shrug2 ransomware.
Follow the removal guide laid out below to eliminate Shrug2 ransomware from your computer successfully.
Step 1: Tap the Ctrl + Alt + Delete keys to open a menu and then expand the Shutdown options which is right next to the power button.
Step 2: After that, tap and hold the Shift key and then click on Restart.
Step 3: And in the Troubleshoot menu that opens, click on the Advanced options and then go to the Startup settings.
Step 4: Click on Restart and tap F4 to select Safe Mode or tap F5 to select “Safe Mode with Networking”.
Step 5: After your PC has successfully rebooted, tap Ctrl + Shift + Esc to open the Task Manager.

Step 6: Go to the Processes tab and look for the process named “Shrug2.exe” as well as any suspicious-looking process that could be related to this crypto-malware and then end its process.
Step 7: Exit the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.

Step 8: From the list of installed programs, look for any unknown and dubious program that could be related to the Shrug2 malware and then uninstall it.

Step 9: Close Control Panel and tap Win + E keys to open File Explorer.
Step 10: Navigate to the following locations and look for the malicious components of Shrug2 like “Shrug2.exe” and then delete them all.

  • %TEMP%
  • %Userprofile%\Robin
  • %Userprofile%\Cerber
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
  • %USERPROFILE%\Downloads
  • %USERPROFILE%\Desktop

Step 11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name] this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 12: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 13: Navigate to the listed paths below and look for the registry keys and sub-keys created by Shrug2.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
  • HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
  • HKEY_CURRENT_USER\Control Panel\Desktop

Step 14: Delete the registry keys and sub-keys created by Shrug2.
Step 15: Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Volume Shadow copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Shrug2 ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.

Once you’re done executing the steps given above, you need to continue the removal process of Shrug2 ransomware using a reliable program like [product-name]. How? Follow the advanced removal steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:

  1. Turn on your computer. If it’s already on, you have to reboot
  2. After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

  1. To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
  2. Windows will now load the SafeMode with Networking.
  3. Press and hold both R key and Windows key.

  1. If done correctly, the Windows Run Box will show up.
  2. Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
  3. After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
  4. Once the installation process is completed, run [product-code] to perform a full system scan.
  1. After the scan is completed click the “Fix, Clean & Optimize Nowbutton.

logo main menu

Copyright © 2023, FixMyPcFree. All Rights Reserved Trademarks: Microsoft Windows logos are registered trademarks of Microsoft. Disclaimer: FixMyPcFree.com is not affiliated with Microsoft, nor claim direct affiliation. The information on this page is provided for information purposes only.

DMCA.com Protection Status

Log in with your credentials

Forgot your details?