Shrug Ransomware Removal Guide

Today is World Emoji Day, and we would like to present a malicious file-encrypting threat called Shrug Ransomware. As the title suggests, the hackers who created it are using the popular Shrug emoji, which is seen at the beginning of the warning displayed by the malicious program. The text appears right after the infection blocks the device’s screen. Our specialists claim the information provided on it might state users have to transfer a particular amount of Bitcoins into the cybercriminals’ Bitcoin wallet. Needless to say, we would advise against putting up with any demands. Not only could it be extremely risky, but also completely unnecessary. To learn more about this, we encourage you to read the rest of this report. Also, at the end of it we will be placing recommended manual deletion instructions, so should you decide to erase Shrug Ransomware, feel free to use them.

The malware’s victims might receive it after opening an infected email attachment, clicking suspicious pop-up ads, or launching malicious program installers. In other words, if the user does not understand he is about to interact with possibly malicious content, he could infect the device without even realizing it. Apparently, Shrug Ransomware may not reveal its presence from the start as it could hide till it settles in and finishes the encryption process. Our specialists say the only file it should create is a key located in the HKEY_CURRENT_USER directory available through Registry Editor. The malware’s added key should be called Shrug, and it might be used to keep information identifying the victim, e.g., username, install date, encryption key, etc.

At the same time the threat might start encrypting all files that have the listed extensions: .txt, .docx, .xls, .doc, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .jpeg, .csv, .psd, .sql, .mdb, .db, .sln, .html, .php, .asp, .aspx, .html, .xml, .json, .dat, .cpp, .cs, .py, .pyw, .c, .js, .java, .mp4, .ogg, .mp3, .wmv, .avi, .gif, .mpeg, .msi. After the encryption, such files should have a double extension because Shrug Ransomware should mark each file with extension of its own, e.g., panda.jpg.SHRUG, castle.png.SHRUG, charter_one.pdf.SHRUG, and so on. Then the malware should reveal its presence by locking users screen and showing the warning we talked about earlier in the article. The reason we did not advise putting up with any requests the hackers may have is because there is a possibility the money you pay could be lost in vain. Plus, our specialists found out there are volunteer computer security specialists who developed a tool designed to decrypt data affected by Shrug Ransomware; all the victims have to do is find in on the Internet. Of course, those who made backup copies could use them instead to replace enciphered files.

If you decide you do not want to take any chances, we advise you to eliminate Shrug Ransomware at once. For starters, users should restart the computer as doing so is supposed to unlock the screen. Once you can use your device again you could either try to erase the data belonging to the malicious application manually or employ a reliable security tool and let it remove the malware for you. Users who pick manual deletion should have a look at our recommended removal instructions located at the end of the article; they will explain the whole process in detail.

Get rid of Shrug Ransomware

1. Restart the infected device.
2. Open File Explorer (Win+E).
3. Go to these locations separately:
   %TEMP%
   %USERPROFILE%\Downloads
   %USERPROFILE%\Desktop
4. Search for a suspicious file that could be the malware’s installer; right-click it and select Delete.
5. Exit the Explorer.
6. Press Win+R and type Regedit.
7. Click OK and go to this path: HKEY_CURRENT_USER
8. Find a key named Shrug, then right-click it and choose Delete.
9. Exit your Registry Editor.
10. Empty Recycle bin.