ShutUpAndDance ransomware – cryptovirus that uses Fsociety-themed ransom note

ShutUpAndDance ransomware is a file locking virus that was first potted by security experts in the mid-August 2018. The malware is a part of the HiddenTear family and encrypts data using AES,[1] and then affixes .ShutUpAndDance file extension. As soon as the encoding process is complete, the C&C server sends the ransom note READ_IT.txt to the victim. In the text document, the user can see a short notice from hackers, explaining that all files have been locked, and to get them back he or she should email them using fsocietyhelp@yandex.com. ShutUpAndDance ransomware uses a Fsociety-based ransom note, displaying the masked face compiled of random symbols.
| SUMMARY | |
| Name | ShutUpAndDance |
| Type | Ransomware |
| Cipher used | AES |
| File extension | .ShutUpAndDance |
| C&C server | siga.semarnath.gob.mx |
| Primary executable | adobe.exe |
| Ransom note | READ_IT.txt |
| Distribution | Spam emails, unprotected RDP, malicious websites, fake updates, etc. |
| Detection and elimination | Use FortectIntego or SpyHunterCombo Cleaner |
ShutUpAndDance ransomware uses a hard-coded[2] password, which means that it is not generated during the runtime when the main executable adobe.exe is run on the system. This feature of the virus indicates that security engineers can create a free decryptor in the future, and it is another reason not to pay the ransom and remove ShutUpAndDance ransomware instead.
The infiltration techniques of ShutUpAndDance virus can vary from contaminated file attachments in spam emails, as drive-by downloads to unprotected RDP. Therefore, users should be well aware of clever social engineering used for phishing emails that are sent to thousands of users. To prevent malware infections, use relative protection measures, including security software (we recommend FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes).
As soon as ShutUpAndDance ransomware is injected, multiple system settings are modified so that the virus would gain persistence. It changes Windows Registry and attempts to delete Shadow Volume Copies, which are usually used as an automated back-up on every Windows operating system. However, most ransomware viruses are coded in a way so that these backups would be deleted, although, in some cases, malware fails to perform this process, making file recovery much more manageable.
The ransom not of ShutUpAndDance virus states the following:
FSOCIETY
WE SAW WHAT YOU DID
YOUR FILES ARE ENCRYPTED!
SEND US AN EMAIL FOR INSTRUCTIONS
fsocietyhelp@yandex.com
As evident, there is not much information displayed, and users who do not know anything about ransomware and how it works might do what they are being asked for. However, security experts[3] highly discourage users to contact cybercrooks, as they can be scammed and lose not only their files but also money.
It is debatable whether authors of ShutUpAndDance ransomware are related to the Fsociety hacker group (one of the most notorious hacktivists groups, which name is based on Mr.Robot TV series), as the presented ransom note uses same ASCII art. Another interesting fact is that the C&C server is located on a Mexican governamental site.
Currently, 32 AV engines recognize[4] the main executable of ShutUpAndDance as malicious, and some of the given names include:
- Gen:Heur.Bodegun.1
- MSIL.Trojan-Ransom.Cryptear.R
- HEUR/AGEN.1029350
- HEUR:Trojan.Win32.Generic
- Ransomware-FTD!04D5426462DB
- Ransom:MSIL/Ryzerlo.A
- Ransom.HiddenTear!g1
- Ransom_CRYPTEAR.SM0, etc.
If your files are encrypted, we suggest you take care of ShutUpAndDance ransomware removal using reputable security software. Only then data can be recovered using backups or third-party software. You will find all the instructions below this article.

Do not let the ransomware virus in – dealing with it is much more complicated than preventing it
Several things can be done to prevent serious computer infections like ransomware. Do not neglect online security, as dealing with malware infection consequences is much more bothersome rather than stopping them in the first place. While no method is 100% secure, the chances are you will never get infected with a severe virus if you follow these simple tips:
- Spam emails are the most prevalent ransomware distribution method. Therefore, being cautious while opening emails that are in the Inbox (and especially in the Spam box) is crucial. Malicious payload is hidden inside file attachments – .pdf, .doc, .zip, .txt, .html and other format files. Additionally, cleverly disguised hyperlinks can connect to contaminated websites and inject malware that way.
- Software vulnerabilities is another method used by hackers, and it is also very effective, as users often fail to update their software on time. Thus, make sure all of your software, including Windows and anti-virus, is patched as soon as the updates are released.
- Use strong passwords for RDP and make it private. Brute-forcing passwords is another technique used by hackers.
- Avoid questionable websites, such as torrent, file-sharing, porn and similar. Downloading anything from such domains is the worst idea, as any file can be disguised and look legitimate.
Finally, we would like to suggest you keep backups of your files. This simple process which only takes a few minutes can save you from the entire ordeal pretty easily.
Delete ShutUpAndDance ransomware from your computer
To remove ShutUpAndDance virus, use anti-malware software. We suggest you download and install FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes and perform a full system scan. Note that ransomware viruses might prevent security software from starting correctly. In such case, you should enter Safe Mode with Networking as explained below.
We urge you not to attempt manual ShutUpAndDance ransomware removal, as the malicious files are embedded deep within computer files, and only trained IT professionals can restore them without security software.
As soon as the elimination process is complete, proceed with the file recovery. Either get them back from backups (it is the most secure way) or use the third-party software we recommend below, although the chances of recovery are slim. Nevertheless, because the virus uses a hard-coded password, security experts could create decryption software in the near future.
Was this guide helpful?
Be the first to comment