.SHRUG2 Files Virus (ShrugDecryptor) – Remove and Restore Data - How to, Technology and PC Security Forum | SensorsTechForum.com

.SHRUG2 Files Virus (ShrugDecryptor) – Remove and Restore Data

This article has been created to help you understand what is the Shrug ransomware virus (ShrugDecryptor) and show how to remove it plus how you can restore files, encrypted by it with an added .SHRUG2 extension.

A new ransomware virus, calling itself .SHRUG2 ransomware is the type of virus, whose primary purpose is to convince victims to pay $70 worth of BitCoin for about 3 days time. The ransomware virus aims to set a deadline to pay the ransom and if the victim does not comply, the actors threaten to destroy the decryption keys of the files, supposedly making them completely undecryptable. If your computer has been victimized by the .SHRUG2 files virus, we advise that you read this article and learn how you can remove this variant of Shrug Ransomware and how you can try to recover your files or decrypt them.

Threat Summary

Name.SHRUG2 Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on the victim’s computer and then gives 3 days to pay $70 ransom to decrypt them.
SymptomsThe files are encrypted with the .SHRUG2 file extension added to them and a ransom note, called ShrugDecryptor appears on the victim PC.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .SHRUG2 Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .SHRUG2 Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.SHRUG2 Files Virus – Distribution Methods

For the .SHRUG2 file ransomware to be effectively distributed, the creators of this malware aim to push the malicious files of this virus via e-mails that pretend to originate from big companies, from the likes of:

  • DHL.
  • FedEx.
  • PayPal.
  • eBay.
  • Amazon.

In addition to this, the .SHRUG2 files virus is the type of threat that aims to get users to download the malicious payload of the ransomware, masked as a fake document. The types of files which may pose as legitimate are usually:

  • Invoices.
  • Receipts.
  • Banking documents.
  • Purchase details.

Furthermore, in addition to via e-mail, the .SHRUG2 files virus may also pose as a legitimate program of some sort that is downloadable. These types of files are uploaded on suspicious sites for software downloads and they often pretend to be:

  • Setups of software.
  • Fake executable files.
  • Fake portable programs.
  • Patches, cracks or other forms of software license activators.

.SHRUG2 Files Virus – More Information

The .SHRUG2 ransomware is the type of ransomware that aims to slither on your PC undetected and then hold your files hostage for ransom. To reach this end goal, the .SHRUG2 files virus performs series of unwanted activities on your PC. For starters, the ransomware virus drops it’s payload files on the computer of the victim. The files consist of the main malicious executable of Shrug Ransomware and other support files of the virus, like it’s ransom note. The ransomware may drop it’s malicious files in the following Windows directories:

  • %AppData%
  • %Local%
  • %Roaming%
  • %Temp%

The primary sample file of Shrug ransomware has been reported to have the following information:

→ SHA256: c89833833885bafdcfa1c6ee84d7dbcf2389b85d7282a6d5747da22138bd5c59

After the files belonging to Shrug ransomware are dropped on the victim PC, the malware may start to create mutexes and modify system files of Windows. In addition to this, the ransomware may also add registry entries in the following Windows Registry sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

This activity is done with the purpose to get the ransomware virus to run automatically when you boot Windows and log in.

Among the malicious files of Shrug ransomware is it’s ransom note file, calling itself ShrugDecryptor. It appears In a typical ransomware manner with a mocking image at the expense of the user:

Shrug Ransomware – Encryption Process

The second variant of Shrug ransomware may initially scan for the types of files it wants to encrypt. The virus looks for the most often used files on the computers of victims such as:

  • Documents.
  • Images.
  • Videos.
  • Audio files.
  • Archives.
  • Virtual Drives.

Once the files are detected, the ransomware encrypts them using the same encryption mode as HiddenTear ransomware does, since Shrug is a HiddenTear variant. After encryption, the virus adds the .SHRUG2 file extension to the files that have been encrypted by it and they start to appear like the following:

Remove Shrug Ransomware and Restore .SHRUG2 Files

To remove this ransomware virus from your computer it is recommended that you follow the removal instructions underneath this article. They have been divided in manual and automatic removal instructions. If manual removal is not a solution for you because of one reason or the other, be advised that researchers recommend to remove .SHRUG2 virus automatically by downloading an advanced anti-malware software, which will take care of the removal process for you.

If you want to restore files, encrypted by this variant of Shrug Ransomware, be advised that you might be in luck, because it is actually a variant of HiddenTear. This is why we have created the Decryption Instructions, which can help decrypt most HiddenTear ransomware variants for free. In addition to this, if this method does not work for you, you can try the alternative methods for file recovery in step “2. Restore files encrypted by .SHRUG2 Files Virus” below.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share