{"id":2831,"date":"2024-09-25T20:10:15","date_gmt":"2024-09-25T20:10:15","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2831"},"modified":"2025-07-29T06:41:18","modified_gmt":"2025-07-29T06:41:18","slug":"_%e3%83%84_-%c2%af-hit-by-shrug-ransomware-heres-how-to-decrypt-without-paying","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/_%e3%83%84_-%c2%af-hit-by-shrug-ransomware-heres-how-to-decrypt-without-paying\/","title":{"rendered":"_(\u30c4)_\/\u00af – hit by Shrug Ransomware? Here\u2019s how to decrypt without paying"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Overview<\/strong><\/p>\n\n\n\n

Shrug Ransomware, the latest malware LMNTRIX researchers have seen in the wild, had the potential to be devasting \u2013 fortunately, its authors left the keys needed to unlock files in the registry. This means victims can basically \u2018shrug it off\u2019 because files can be decrypted without having to pay the ransom. <\/p>\n\n\n\n

To be specific, Shrug uses Random Key Generation for each user and the key is stored in the registry \u2013 this value is referenced by the ransomware for encryption\/decryption.<\/p>\n\n\n\n

By following the below steps, a victim can decrypt their files and remove the ransomware: <\/p>\n\n\n\n

Step 1<\/strong>. Restart the infected machine to remove the Lock screen and terminate the malicious process responsible for locking the mouse and keypad (explained in further detail in the analysis) <\/p>\n\n\n\n

Step 2<\/strong>:  Open File explorer<\/p>\n\n\n\n

Step 3<\/strong>: Enter the Shrug ransomware installer path (C:\\Users\\USERNAME\\AppData\\Local\\Temp\\shrug.exe) <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Step 4<\/strong>. Perform a Permanent delete of the installer file \u201cshrug.exe<\/strong>\u201d [Shift + Delete]\n\n\n\n

Step 5<\/strong>. Open RUN app on Windows by typing \u201cRUN\u201d on Windows search panel, type Regedit<\/strong> and hit OK<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Step 6<\/strong>. Navigate to the location HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Step 7<\/strong>. Identify the Key value titled \u201cShrug\u201d<\/strong><\/p>\n\n\n\n

Step 8<\/strong>. Copy the key value of \u201cShrug\u201d<\/strong> for future reference in a text file, right-click on it and hit \u201cDelete\u201d<\/strong><\/p>\n\n\n\n

Step 9<\/strong>. Clear your Recycle Bin<\/strong> and Restart the machine<\/p>\n\n\n\n

Although the ransomware can be easily removed, prevention is always better than cure. In Shrug\u2019s case, its authors primarily deliver the payload via drive by downloads or embedding the ransomware in fake software or gaming applications. Users should ensure they\u2019re only downloading authentic versions of software to avoid falling victim in the first place. <\/p>\n\n\n\n

While we will unpack Shrug in detail, first let\u2019s look at the functionality that allows us to negate the ransomware without having to pay anything.<\/p>\n\n\n\n

Hypothetically, after a ransom is paid, Shrug ransomware uses the same unique identifier it uploads to a remote server to decrypt files.<\/p>\n\n\n\n

A unique identifier list is downloaded from: <\/p>\n\n\n\n

\u201chxxp:\/\/tempacc11vl[.]000webhostapp[.]com\/marthas_stuff\/freehashes.txt”.<\/p>\n\n\n\n

Once the list is downloaded, Shrug searches the list using the Unique Identifier for the paying victim\u2019s machine and decrypts the files. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1: Shrug\u2019s decryption process and messages<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 2:  ShrugForm Decrypt<\/em><\/p>\n\n\n\n

Shrug stores the Random Key Generation for a specific user in the registry. It is this value that the ransomware references for encryption\/decryption. The Keys are stored under Windows\\CurrentVersion\\Run \u201cShrug\u201d:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 3 Code to write registry key<\/em><\/p>\n\n\n\n

With that being said, lets dive in to Shrug in more detail:<\/p>\n\n\n\n

File Analysis<\/strong><\/ins><\/p>\n\n\n\n

File Hash (SHA256): <\/strong><\/p>\n\n\n\n

\u2022    b14a57ad391d9ba5b2714dad4773118f118ed8d64b523466bb60f3b18336efc1<\/p>\n\n\n\n

\u2022    9f802a6a86b4df3730bc47372626279eef4544e4a2d75a7989fdf5405627ac7c<\/p>\n\n\n\n

File Size<\/strong>: 24.5 KB<\/p>\n\n\n\n

The original file is compiled using .NET. The ransomware\u2019s main function contains the below code (see Figure 4) to drop Shrug.exe. This contains the function cryptor to decrypt the contents of \u201cShrugEnc\u201d and drops Shrug.exe in %temp% directory. <\/p>\n\n\n\n

It then creates a Windows\\CurrentVersion\\Run entry, with the value \u2018Shrug\u2019, to point to the dropped .exe file \u2013 this ensures it runs on every windows start-up. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 4: Main Function<\/em><\/p>\n\n\n\n

The cryptor (String Key, String IV) function uses common AES Encryption\/Decryption functions from \u201cSystem.Security.Cryptography;” as shown below in Figure 5. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 5: AES Cryptography Encryption\/Decryption Functions<\/em><\/p>\n\n\n\n

The main file contains an Encrypted Resource named \u201cShrugEnc\u201d as shown below in Figure 6.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 6: Encrypted ShrugEnc in Resources<\/em><\/p>\n\n\n\n

After being dropped, Shrug.exe contains strings that clearly give away its ransomware functionality, as shown in below Figure 7:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 7: Shrug.exe after Decryption and Windows Run Entry.<\/em>

After successful infection, Shrug locks the screen with a ransom note (see Figure 8 below) and prompts the user to pay USD $50 in bitcoin to have files restored. Files are encrypted with a unique ID and an AES Random key. The user is given three days to pay, before the files are permanently deleted. 
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


 

Figure 8 Ransom note, Timer, Attacker Bitcoin Wallet details<\/em><\/p>\n\n\n\n

Below is a list of files Shrug encrypts with the \u201c.SHRUG\u201d extension.<\/p>\n\n\n\n

“txt”,”docx”,”xls”,”doc”,”xlsx”,”ppt”,”pptx”,”odt”,”jpg”,”png”,”jpeg”,”csv”,”psd”,”sql”,”md
b”,”db”,”sln”,”html”,”php”,”asp”,”aspx”,”html”,”xml”,”json”,”dat”,”cpp”,”cs”,”py”,”pyw”,”
c”,”js”,”java”,”mp4″,”ogg”,”mp3″,”wmv”,”avi”,”gif”,”mpeg”,”.msi”,”zip”,”rar”,”7zip”,”7z”,”
bmp”,”apk”,”yml”,”qml”,”py3″<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Figure 9 Targeted Extensions<\/em>

Encryption<\/strong>

Even though a victim is able to decrypt the files themselves, it is worth examining how the ransom process was designed to work, had the attackers been competent. Shrug prompts the user to pay, and in order to do so, they must provide their wallet id. These details are sent to the remote server [hxxp:\/\/tempacc11v1.000webhostapp] as shown below in Figure 10.

The details uploaded to the remote server include the victim\u2019s unique identifier (Username+MachineName), Cryptor (key, IV) and the user\u2019s Wallet id.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 10 Unique identifier<\/em><\/p>\n\n\n\n

Shrug Ransomware Functionality:<\/strong><\/p>\n\n\n\n

Shrug ransomware could have been a devastating malware variant due to its functionality. As well as encrypting files, it had the ability to lock the screen, remove system restore points,<\/strong> and lock keyboard and mouse events <\/strong>\u2013 each of which we\u2019ll unpack in further detail below.<\/p>\n\n\n\n

Lock Screen<\/strong><\/p>\n\n\n\n

Shrug uses typical Windows screen methods to lock the screen; it calculates the maximum screen coordinates using the \u2018primaryscreen\u2019 height and width values and sets the Form to that location (see Figure 11 below).<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 11 LockScreen (Primaryscreen)<\/em><\/p>\n\n\n\n

Remove System Restore Points<\/strong><\/p>\n\n\n\n

System Restore points are removed so the user can\u2019t retrieve files through system backups. It does so using the function SRRemoveRestorePoint () from srclient.dll.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 12 code snippet for removing system restore point<\/em><\/p>\n\n\n\n

Lock Keyboard and Mouse Events:<\/strong>

Keyboard and mouse events are disabled using the BlockInput() Function.
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


 

Figure 13 Keyboard-mouse events<\/em>

Shrug monitors keyboard events using the function SetWindowsHookEx() and sets a call-back function to a low-level keyboard hook using the function LowLevelKeyboardProc(). 

This enables Shrug to hook all keyboard events, and block users from terminating the application.

 <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



Figure 14 WH_Keyboard<\/em>

 <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



Figure 15 CallNextHookEx<\/em>

CallNextHookEx contains a pointer to the Ransomware module. CallNextHookEx is used when there are other applications which also use the LowLevelKeyboardProc for processing keyboard hooks in the chain. Here, Shrug doesn\u2019t allow other applications to take control of the hook chain.

When a victim tries to exit the program or use the below combination of keyboard keys to terminate, it prevents those keyboard events.<\/p>\n\n\n\n

Ctrl+Alt+Delete
Shift+ESC
Ctrl+W
Alt+Tab
Alt+F4
Windows Key<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 16 ShrugForm keydown<\/em>

Threat Indicators<\/strong><\/ins>

File Hashes (SHA256)<\/strong>

\u2022    b14a57ad391d9ba5b2714dad4773118f118ed8d64b523466bb60f3b18336efc1

\u2022    9f802a6a86b4df3730bc47372626279eef4544e4a2d75a7989fdf5405627ac7c

File Extension<\/strong>

\u2022    .SHRUG

Files Dropped<\/strong>

\u2022    \\AppData\\Local\\Temp\\Shrug.exe

Command and Control<\/strong>

hxxp:\/\/tempacc11vl[.]000webhostapp[.]com\/marthas_stuff\/freehashes.txt

Registry entry added as:<\/strong><\/p>\n\n\n\n

Key: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run 
Value: “Shrug”
Data: C:\\Documents and Settings\\user\\AppData\\Local\\Temp\\Shrug.exe<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Key: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Shrug
Values: 
installdate, 
identifier, 
installed, 
key, 
IV<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Conclusion<\/strong>

Although attribution is always difficult in cyber security, it is fair to assume APT\u2019s or other sophisticated actors were not behind the Shrug ransomware. 

 <\/p>\n\n\n\n

On 2018-07-23<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Overview Shrug Ransomware, the latest malware LMNTRIX researchers have seen in the wild, had the potential to be devasting – fortunately, its authors left the keys needed to unlock files in the registry. This means victims can basically ‘shrug it off’ because files can be decrypted without having to pay the ransom.  To be specific, […]<\/p>\n","protected":false},"author":1,"featured_media":2834,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2831","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2831","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2831"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2831\/revisions"}],"predecessor-version":[{"id":4316,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2831\/revisions\/4316"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2834"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2831"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2831"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}