Shrug2 ransomware (Free Instructions) - Bonus: Decryption Steps

Shrug2 virus Removal Guide

What is Shrug2 ransomware?

Shrug2 ransomware is a file-encrypting virus that that pretends to be from the same family as WannaCry

Shrug2 ransomware virusShrug2 ransomware is a threat that offers ShrugDecryptor to recover encrypted data. Shrug2 ransomware is the second version of Shrug ransomware which has been filled with the few new features. The threat is almost identical to the original ransomware. However, the cryptovirus is appending a new file extension and is also using Command and Control server[1] configuration. Like the previous version, Shrug2 relies on AES encryption cipher to lock victim's files, and, after successful encryption, adds .SHRUG2 file extension as a marker for encrypted data. As a result, users' data becomes unreadable. Additionally, ransomware places a ransom note on the system which appears in a program window called ShrugDecryptor and states more details about the attack. It claims that the ransom amount is 70 USD which should be paid in Bitcoin. Also, the virus promises to delete data permanently if the ransom is not paid in three days. At the moment, there is no contact email in the ransom note that is advertising the alleged Shrug decryption services.

Name Shrug2
Type Ransomware
Previous version Shrug
File extension .SHRUG2 appendix
Encryption method AES
Ransom amount $70 in Bitcoin
Ransom note ShrugDecryptor
Distribution Spam email attachments
Elimination Download and use FortectIntego for Shrug2 ransomware removal

Shrug2 ransomware is a malicious crypto-virus that infects your system silently and starts its malicious processes in the background. As the first step, ransomware modifies old or adds new registry keys to make sure that its script is launched everytime your infected device reboots.

Additionally, Shrug2 virus scans the system and selects which photos, videos, documents or databases to encrypt with a sophisticated AES encryption algorithm. When this file locking is done, the virus places .SHRUG2 file extension. As a result, you can clearly see which files are modified by the threat.

This silent intruder has been spreading for some time. As a result, Shrug2 can be detected by numerous anti-virus and anti-malware tools as:

  • Artemis!04112AEC4740
  • TR/Ransom.rhagu
  • Generic.Ransom.Hiddentear.A.B8BBD7A8
  • TR/Hiddenrear.agdsy
  • Trojan.Ransom.Shrug
  • Ransom.Genasom!8.293 (CLOUD)
  • TROJ_GEN.R002H09GC18
  • malicious_confidence_70% (D)
  • malware (ai score=97)
  • Win32/Trojan.Hoax.4a4[2]

When this virus is done with the encryption process, it displays a program window on the screen that looks like a decryption service. The ransom note states that you have 3 days to pay $70 in Bitcoin to a provided wallet. The window is called ShrugDecryptor and contains the following message:

'Ooops! Your files have been encrypted
Are you proud of me,
papa WannaCry?
momma NotPetya?

What happened?
Your important files have been encrypted. Many of your documents, pictures, videos, databases, scripts, codes, presentations are no longer accessible because they have been encrypted. Maybe you're busy looking for a way to recover your stuff but don't waste your time. Nobody can do that without our decryption service.
Can I recover my files?
Of course! We guarantee that you can recover all your files safely and quickly. But you don't have too much time. If you want to decrypt everything, you will need to pay. You only have 3 days to submit the payment otherwise all your files will be PERMANENTLY deleted. Lost. Forever.
Payment is accepted in Bitcoin only.
Send $70 worth of Bitcoin to:
1Hr1grgH9ViEgUx73iRRJVKH3PFjUtenx'

The first sentences of the ransom note are typically mimicking WannaCry and Petya cyber threats. However, at the moment securoty experts do not find any relation between these cyber threats. If you got infected, you need to remove Shrug2 ransomware as soon as possible. It is important because this ransomware can access various places in the system and modify it according to its developer's commands.

As we have mentioned, this cyber threat is using C&C server configuration helping people behind the virus store your data or control various parts of the device without you knowing that. This additional feature of the ransomware makes it even more dangerous. To prevent the worst case scenario, focus on Shrug2 ransomware removal and get rid of this threat. Use FortectIntego or other anti-malware tools to scan your device and eliminate all issues hailing from the infection.

Shrug2 ransomwareShrug2 ransomware is a crypto-virus that demands 70$ in Bitcoin for recovering encrypted files. According to the criminals, you have to pay the ransom in less than three days.

Malicious files are typically distributed via infected emails

Malware developers aim to distribute the virus payload widely, so they pretend to send emails from companies like DHL, PayPal or Amazon. Since people often use these services, victims unknowingly open these safe-looking emails and download malicious files.

Researchers[3] advise you to pay more attention because the minute you download and open the infected file on your computer this malicious ransomware script is planted on the system. These invoices or receipts can look safe but always check for typos and grammar mistakes on the email. This can be an indicator that the email is not legitimate.

Get rid of Shrug2 ransomware and all related issues by following our tips

The first thing you should know if you want to remove Shrug2 ransomware is that all additional changes made by this threat can be related to other programs and their malfunction in the future. You need to use professional anti-malware tools to get rid of all the fraudulent files and damaged caused by them. Tools like FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes can fully scan your device and detect this malware.

Shrug2 ransomware removal is crucial if you want to get back to a safe computer's usage. We do not recommend replacing your affected files or restoring them by using our recovery instructions until you get rid of the malware because ransomware keeps encrypting everything in its way. So use anti-malware, delete ransomware virus, clean your system thoroughly, double-check and then recover your data.

Offer
do it now!
Download
Fortect Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Shrug2 virus. Follow these steps

Manual removal using Safe Mode

Disable the threat affecting your device by rebooting the system in Safe Mode with Networking:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Shrug2 using System Restore

System Restore is a feature that might be helpful in Shrug2 ransomware removal because it is supposed to disable the malware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Shrug2. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Shrug2 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Shrug2 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Shrug2, you can use several methods to restore them:

Data Recovery Pro can be the tool you need if Shrug2 ransomware encrypted your most important files

This is a program that restores various files on your devices. Also, Data Recovery Pro can recover accidentally deleted files

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Shrug2 ransomware;
  • Restore them.

Windows Previous Versions feature can recover various files on your Windows device

If the System Restore feature was enabled before the attack, you can follow the steps and restore data using Windows Previous Versions feature

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use ShadowExplorer and restore encrypted data

However, if Shrug2 ransomware deleted Shadow Volume Copies ShadowExplorer cannot help

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption is not possible

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Shrug2 and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.

 

Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 

 

About the author
Lucia Danes
Lucia Danes - Virus researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

References