Shrug Ransomware: How to Get Your Files Back Without Paying the Ransom

Shrug Ransomware: How to Get Your Files Back Without Paying the Ransom

Ransomware is a nightmare.

Your company’s important files are locked away by a shady individual or group with no guarantee you’ll ever get them back. 

In most cases, there’s not a whole lot that can be done. But if you’ve recently become a victim of a particular type of ransomware, there’s hope. 

A new form of ransomware that was first discovered earlier this month, called “Shrug,” has coding mistakes that allow victims to retrieve their files without paying the ransom. If you’re a victim of Shrug ransomware, here’s how to get your files back.

How to Know If You Have Shrug

Shrug ransomware infects a computer system by tricking individuals into downloading fake software or an app. Once downloaded, your files are encrypted and you receive a note that begins with:

"I know what you're thinking. "What happened?" Well the answer is quite simple. Before I tell you, promise you will not get mad. Okay. Your PC was a victim of a Ransomware attack."

The note goes onto demand $50 in Bitcoin in return for decrypting the files. If you’ve been attacked by Shrug, your screen will look like this:


Image courtesy of LMNTRIX

How to Get Your Files Back

Shrug requires a code to be unlocked. Fortunately, researchers from LMNTRIX discovered that the attacker mistakenly left this code in the registry, letting you retrieve your files without paying the ransom. Note: These steps are for Windows PCs, as there have been no reports of Shrug appearing on Apple devices.

LMNTRIX provides the following steps you can take to remove the ransomware from your PC:

Step 1. Restart the infected machine to remove the lock screen and terminate the malicious process responsible for locking the mouse and keypad (explained in further detail in the analysis) 

Step 2:  Open file explorer

Step 3: Enter the Shrug ransomware installer path (C:\Users\USERNAME\AppData\Local\Temp\shrug.exe) 


 Image courtesy of LMNTRIX

Step 4. Perform a permanent delete of the installer file “shrug.exe” [Shift + Delete]

Step 5. Open the RUN app on Windows by typing “RUN” on Windows search panel, type “regedit” and hit OK

Shrug 3

 Image courtesy of LMNTRIX

Step 6. Navigate to the location HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run


 Image courtesy of LMNTRIX

Step 7. Identify the key value titled “Shrug”

Step 8. Copy the key value of “Shrug” for future reference in a text file, then right-click on it and hit delete

Step 9. Clear your recycle bin and restart the machine

There you have it; you’ve hopefully now evaded a painful ransomware incident. Unfortunately, next time may not be so forgiving.

How to Avoid Future Ransomware

It probably goes without saying, but most ransomware attacks don’t end with the attackers leaving the unlock code in the registry. Prevention is the best policy when it comes to ransomware.

Shrug entered your system because you or someone in your organization downloaded suspicious software. It’s important to be aware of what you and your employees download. As a general rule, if you’ve never heard of the organization that makes the software/app, then it isn’t worth the risk of downloading without conducting research to ensure the organization is legitimate — or asking your IT team if it’s safe.

The same goes for the website you’re getting the software from. If you’ve never heard of it before, it’s not a good idea to download from it.

Our goal with this blog is to help you keep your organization secure, which is why we have a variety of posts that will help you prevent future ransomware attacks. In particular: 

  • Read this post to learn how creating a culture of cybersecurity awareness can prevent major attacks
  • Check out this article which dives into the actions you can take to reduce security risks caused by employees 

For more updates on all things cybersecurity and IT, check back here each week! If you’re looking for a more hands-on cybersecurity solution, we can help with that too.

Learn more about how we help small businesses tighten up their security with detailed planning and prevention techniques here.

Written by Nik Vargas