Shrug2 Ransomware Overview
Recently, security researcher has found the new ransomware “Shrug2 Ransomware”.
This ransomware appends the filename of affected file by adding .Shrug2 extension in the last.
Once the encryption has been completed it shows the ransom note UI on the screen.
As per the ransom note, it demands 70 Dollars in the form of BTC in exchange of decryption. If the user didn’t pay on the time of 3 Days, it will delete the encrypted files after given time.
The victim has to send the ransom amount on the given bitcoin address 1Hr1grgH9ViEgUx73iRRJLVKH3PFjUteNx
Flowchart

Technical Analysis of Shrug2 Ransomware
File Name: shr.exe
MD5: 04112AEC47401C3D91A92CFDF9DE02E6
SHA1: 6C2194F9067756CA039D57113E3B93A7A34659D4
SHA256: C89833833885BAFDCFA1C6EE84D7DBCF2389B85D7282A6D5747DA22138BD5C59
File Type: .EXE
Detail Description of Shrug2 Ransomware with Screenshots
This ransomware has a minimum requirement of dot net framework 4.5 as shown below

Figure 1 Assembly Information
On execution of this ransomware, it first checks the internet connection presence, if there is no internet connection available in that case this ransomware won’t work.
It checks the internet presence on the machine by hitting the following URL
http://clients3.google.com/generate_204
The above link will return a 204 HTTP response without content when requesting it from the actual Google servers.
If it founds the internet connection on the user’s system, then it creates the following process tree on the victim machine

Figure 2 Process Tree
As shown below, this ransomware checks the registry flags based on that it does the activity

Figure 3 Query Registry
Following are the registry changes done by this ransomware
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Shrug2_RASAPI32
HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo
HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\identifier: "admin/15010"
HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\installdate: "25/07/2018 23:40:58"
HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\crykey: "DQBgjJw3s3q04tbs7tPnlktXnpBiDyZC"
HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\cryiv: "WJYtqQd6h6j95gyh"
HKLM\SOFTWARE\Microsoft\Tracing\Shr_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\Shr_RASMANCS
Once the registry flag step has been successful thereafter it executes the following command that modifies the access control list
cmd.exe /C Icacls . /grant Everyone:F /T /C /Q
Thereafter, it deletes the system restore point process. Instead of using WMIC.exe shadowcopy delete or vssadmin.exe Delete Shadows /All /Quiet.
As shown below, it uses the SRRemoveRestorePoint api to delete the system restore point or volume shadow copy from the victim machine. As per the following code it deletes up to 50 system restore points.

Figure 4 Delete System Restore Point
Thereafter, it starts the process of searching matching file extensions this ransomware encrypts only those files that matches with its file extensions list. Following is the file extensions list
“.txt .docx .xls .doc .xlsx .ppt .pptx .odt .jpg .png .jpeg .csv .psd .sql .mdb .db .sln .html .php .asp .aspx .html .xml .json .dat .cpp .cs .py .pyw .c .js .java .mp4 .ogg .mp3 .wmv .avi .gif .mpeg .msi .zip .rar .7zip .7z .bmp .apk .yml .qml .py3 .aif .cda .mpa .wpl .mid .midi .pkg .deb .arj .z .o .rpm .tar.gz .gz .dbf .yml .tar .pl .rb .ico .tiff .tif .asp .xhtml .rss .jsp .htm ”
While the ransomware is running in the background it appends the affected filename by adding “.Shrug2” in the last.

Figure 5 Shrug2 Extension
As shown below, this ransomware has self-deletion registry code which is done by silently by executing the following hidden process.

Figure 6 Self Deletion
Once the encryption has been completed it shows the following ransom note UI screen on the Victim Desktop Screen (“Ooops! Your files have been encrypted”).
As shown above, this ransomware runs the countdown timer that deletes the files if the victim didn’t pay in given time.

Figure 7 Ransom Note
On clicking the “Check Payment” Button it starts checking the payment process by accessing the following URL
hxxp://tempacc11vl[.]000webhostapp.com/marthas_stuff/freehashes[.]txt
If the victim has paid the ransom amount it will cross check that part by accessing the following URL
hxxp://tempacc11vl[.]000webhostapp[.]com/marthas_stuff/upoldhash.php
Get peace of mind! Get rid of malicious programs instantly
Free Checkup & fix for your PC! Get rid of malicious programs instantly!
Funniest part in this the proud feeling of shrug2 ransomware by asking “Are you proud of me, papa wannacry? What about you momma NotPetya?”
As shown above in the ransom note, ransomware creator has mentioned his Bitcoin Address (“1Hr1grgH9ViEgUx73iRRJLVKH3PFjUteNx”).
As shown below, currently no one has paid any ransom amount on the given bitcoin address.

Figure 8 Bitcoin Transaction Information
As shown below, this ransomware also creates the shortcut file on desktop “@ShrugDecryptor@.lnk”

Figure 9 Desktop Shortcut
IOC’s
Associated File Names & Hashes:
File Name: shr.exe
MD5: 04112AEC47401C3D91A92CFDF9DE02E6
SHA1: 6C2194F9067756CA039D57113E3B93A7A34659D4
SHA256: C89833833885BAFDCFA1C6EE84D7DBCF2389B85D7282A6D5747DA22138BD5C59
File Type: .EXE
Associated Bitcoin Address
1Hr1grgH9ViEgUx73iRRJLVKH3PFjUteNx
Associated Registry Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Shrug2_RASAPI32
HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo
HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\identifier: "admin/15010"
HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\installdate: "25/07/2018 23:40:58"
HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\crykey: "DQBgjJw3s3q04tbs7tPnlktXnpBiDyZC"
HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\cryiv: "WJYtqQd6h6j95gyh"
HKLM\SOFTWARE\Microsoft\Tracing\Shr_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\Shr_RASMANCS
Associated URL
hxxp://tempacc11vl[.]000webhostapp.com/marthas_stuff/freehashes[.]txt
hxxp://clients3[.]google[.]com/generate_204
hxxp://tempacc11vl.000webhostapp[.]com/marthas_stuff/upoldhash[.]php
Are you worried about your PC health?
Check your PC Health for Free!
Tips to Prevent virus and malware from Infecting Your System:
- Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for Chrome, Mozilla, and IE
- Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
- Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool