Shrug2 Ransomware

The Shrug2 Ransomware is a file-locking Trojan from the Hidden Tear family, which is an open-source Trojan that uses encryption for locking your digital media. This version of HT also includes a pop-up for providing its ransoming instructions for the unlocking feature, which malware experts discourage using. Free decryption utilities or backups can recover any content that this threat blocks and most anti-malware products can delete the Shrug2 Ransomware easily.

The Train that Shrugs While Running Over Your Files

The next version of Hidden Tear that's open to analysis by malware experts is showing some unusual choices in its theme, although the technical aspects of its attacks remain, for the most part, static. The Shrug2 Ransomware is gaining access to new Windows machines by pretending that it's a non-threatening document, after which, it can lock files and hold them hostage for its ransom. Unlike the majority of Hidden Tear variants, however, the Shrug2 Ransomware also drops components that imitate the payload of the '.wcry File Extension' Ransomware or the WannaCryptor Ransomware family.

The Shrug2 Ransomware uses the same style of AES encryption as other versions of its open-source family, such as the Boris HT Ransomware and the XeroWare Ransomware, or the older First Ransomware and the HappyLocker Ransomware. Each file that it locks with this data-encrypting attack, including documents, pictures, archives, or music, also receives the '.SHRUG2' extensions that the Trojan appends to the ends of their names. Then, the Shrug2 Ransomware launches the portion of its payload that it uses for extracting money from its victims: the pop-up.

This HTA pop-up uses a format that's identical to that of the one most popularized by the WannaCryptor Ransomware family, but with some changes: an image from the 'Thomas & Friends' train-themed cartoon, references to WannaCryptor Ransomware and the Petya Ransomware, and a new, static ransom demand of seventy USD via Bitcoins. Like many of the file-locking Trojans malware experts encounter, the Shrug2 Ransomware also uses a timer-based limit for tricking the victims into believing that not paying results in the deletion of their media – which is not a feature that Hidden Tear provides.

Taking Your PC Off of the Train Tracks

The atypical marketing of the Shrug2 Ransomware continues with its circulatory tactic, which is employing a fake download of the Codex Gigas (a Medieval manuscript also referred to as the 'Devil's Bible') for distributing and installing itself onto unprotected computers. Hidden Tear and its variants, including the Shrug2 Ransomware, only are compatible with the Windows systems, but for most versions of that OS, may block anywhere from dozens to thousands of files quickly and without displaying symptoms to give the attack away to any observing users. Having a secure backup is a vital means of defense against both the Shrug2 Ransomware and all Trojans of its general classification.

Any users who don't possess backups, or have had any backups deleted or encrypted, should contact an anti-malware researcher with experience with file-locking Trojans for help with decrypting their data. Although many versions of Hidden Tear use non-secure attacks that a free decryption program can reverse, this software may require updating for dealing with the latest Trojan variant. Qualified anti-malware tools also should delete the Shrug2 Ransomware on sight and provide the safest means of disinfecting your PC and preventing any further damage.

Like the classic hostage scenario of a damsel tied to the train tracks, the Shrug2 Ransomware takes helpless data and puts it at risk for mercenary motives. However, unlike people, data is something that users can copy and protect easily, making the Shrug2 Ransomware an inferior version of Snidely Whiplash decidedly.