Shrug ransomware can be deleted and data recovered for free, thanks to author blunder
- The Shrug ransomware demands $50 in Bitcoin as ransom.
- The ransomware is capable of locking not just a device’s screen but also keyboard and mouse activities.
A new ransomware variant called Shrug has been recently discovered. The ransomware uses common AES Encryption/Decryption functions and comes packed with various capabilities that could have made the malware a force to reckon.
However, the ransomware’s authors and/or operators made a mistake that gives anyone the ability to readily delete the malware and recover all of their data for free. According to security researchers at LMNTRIX Labs, who discovered the ransomware, the cybercriminals behind Shrug use a random key generator for each victim.
However, the cybercriminals inadvertently left the keys completely unencrypted in the malware directory, allowing victims to recover their files without having to pay a ransom.
Shrug ransomware features
Shrug appeared in the wild on July 6 and has been distributed via drive-by attacks, gaming apps and fake software. Similar to other ransomware variants, Shrug provides victims with detailed ransom payment instructions and demands $50 in ransom, to be paid in bitcoin.
“After successful infection, Shrug locks the screen with a ransom note and prompts the user to pay USD $50 in bitcoin to have files restored. Files are encrypted with a unique ID and an AES Random key. The user is given three days to pay, before the files are permanently deleted,” LMNTRIX Labs researchers wrote in a blog.
However, unlike other run-of-the-mill ransomware variants, the Shrug ransomware can not only lock an infected system’s screen and remove system restore points, it can also lock or disable keyboard and mouse events. The researchers believe that Shrug could have been “devastating” had its operators not blundered and left the decryption keys in the register.
Shrug ransomware authors aren’t sophisticated
According to LMNTRIX researchers, the developers of the Shrug ransomware are not a sophisticated cyber gang or an APT group. Instead, the researchers believe that the cybercriminals may still be new to malware development.
"The developers are newbies. While showing some technical skill, we assume they're new to the ransomware criminal market and this could be one of their first campaigns," Bipro Bhattacharjee, lead threat researcher at LMNTRIX, told ZDNet.