The ShutUpAndDance Virus is a basic ransomware strain of the Hidden Tear family. The security analysis shows that this is the initial release of the threat, future updates are expected in coordinated attacks. Our article provides an overview of the virus operations and it also may be helpful in attempting to remove the virus.
|Short Description||The ransomware encrypts sensitive information on your computer system with the .ShutUpAndDance extensions and demands a ransom to be paid to allegedly recover them.|
|Symptoms||The ransomware will encrypt your files with a strong encryption algorithm.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by ShutUpAndDance Virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss ShutUpAndDance Virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
ShutUpAndDance Virus – Distribution Ways
As soon as the ShutUpAndDance virus infection begins the main module will start to run its prescribed behavior pattern. The security investigation reveals that it is based on the Hidden Tear ransowmare family. As such its behavior can be fine tuned according to each target campaign.
The ShutUpAndDance virus has been captured in a limited attack campaign targeting mainly English-speaking computer users. We anticipate that in future attacks the hackers behind it will utilize a whole array of infection tactics.
A common way to spread this threat is to send out phishing email messages. They are designed to intentionally confuse the users into thinking that they have received a message from a well-known company or a service that they use. They can either attach the virus files or link them in the body of the emails.
A similar technique is the use of malicious download sites that attempt to mimic legitimate download portals. Along with the email messages they are among the most popular ways of spreading infected payloads of which there are two main types:
- Malicious Setup Files — The criminals can include the ShutUpAndDance virus in installers of popular software. This is done by taking the original files from the official vendor sites and bundling the malicious code into them. The hackers typically choose popular user choices — system utilities, productivity applications or creativity suites.
- Documents — A similar technique can be used with document files: text files, spreadsheets, presentations and databases. Once they are opened by the users a notification prompt appears which will ask them to enable the built-in scripts. If this is done the virus infection will begin.
A browser hijacker infection can be another method for deploying the threat. It relies on the creation of malicious plugins made for the most popular browsers which are then usually uploaded to the relevant repositories. The hackers can use fake developer credentials and user reviews along with a detailed description to coerce the users int installing the browser hijackers. They are called that way as they modify the default settings (home page, new tabs page and search engine) to redirect the users to a hacker-controlled page. Once this is complete the associated behavior pattern will be run which includes the virus deployment.
ShutUpAndDance Virus – In-Depth Analysis
The ShutUpAndDance virus is a new strain belonging to the Hidden Tear ransomware family. As this is one of the most popular choices for creating custom threats we presume that the hacker or criminal collective behind it are not very experienced. Hidden Tear is well-known for having a modular framework allowing all kinds of modifications.
At the moment the captured samples contain only the ransomware engine which is the simplest form of a Hidden Tear threat. Following previous strains of the same family we presume that a classic infection behavior will be implemented.
Such attacks can begin with a data harvesting module. It is programmed to look for specific strings that can be extracted from the infected system. This component can reveal the victim’s identity by looking out for strings such as their name, address, phone number, location, interests and etc. The same technique can also be used to hijack infection campaign metrics which are useful to the hackers: hardware components, user settings and certain values set by the operating system. The collected information can be used to scan the local system for any applications or services that can interfere with the proper virus execution. The component looks for signatures belonging to anti-virus programs, sandbox environments or virtual machine hosts.
Hidden Tear threats are capable of causing a wide range of system modifications. A common scenario is to program modifications to the Windows Registry — existing entries can be changed and new ones can be created. When this affects the operating system values the users can experience overall performance issues. Targeting individual services or user-installed applications can lead to the inability to use certain functions.
The ShutUpAndDance virus can be installed as a persistent threat by modifying the boot options. As a result the malicious engine will be started every the computer is powered on and access to the recovery menu will be disabled.
Advanced virus infections can also lead to the installation of a Trojan module. The classic case involves the setup of an encrypted connection to a hacker-controlled server. It is used by the criminals to spy on the victim users, take over control of their machines at any given time or deploying additional threats.
ShutUpAndDance Virus — Encryption
Like other Hidden Tear based viruses it’s main goal is to encrypt target user data based on a built-in list of file type extensions. Most common ransomware tend to target popular data such as the following:
All encrypted user data is renamed with the .ShutUpAndDance extension. The accompanying ransomware note is called READ_IT.txt and reads the following message:
WE SAW WHAT YOU DID.
YOUR FILES ARE ENCRYPTED!
SEND US AN EMAIL FOR INSTRUCTIONS
Remove ShutUpAndDance Ransomware Virus and Restore .ShutUpAndDance Files
If your computer got infected with the ShutUpAndDance ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.