Shrug2 .NET Ransomware

Quick Heal Security Labs has published a report on ransomware they have dubbed Shrug2. The ransomware is built on the .NET framework. Quick Heal has observed an increase in ransomware based on the .NET framework. Shrug2 targets some 76 file types and encrypts them using the AES256 algorithm in Cipher Block Chaining mode and adds the extension “.SHRUG2” to the encrypted files. The ransom demand is for $70 worth of Bitcoin. Shrug2 is detected by multiple vendors; however, different names are applied. Refer to the VirusTotal link in the Detection section for further details. For a complete technical analysis of the malware, see the Quick Heal article.

This ransomware encrypts files with around 76 different extensions. The list of extension is as follows:

“txt, .docx, .xls, .doc, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .jpeg, .csv, .mdb, .db, .sln,     .html, .php, .asp, .aspx, .html, .xml, .json, .dat, .cpp, .cs, .c, .js, .java, .mp4, .ogg,     .mp3, .wmv, .avi, .gif, .mpeg, .msi, .rar, .7zip, .z, .apk, .yml, .qml, .py3, .aif, .cda,     .mpa, .wpl, .mid, .pkg, .deb, .arj, .rpm, .gz, .dbf, .yml, .tar, .pl, .rb, .ico, .tif, .asp,     .xhtml, .rss, .jsp, .htm, .o, .zip, .midi, .tiff, .tiff, .midi, .zip, .tar.gz, .pyw, .bmp, .sql,   .psd, .7z”

The ransomware enumerates all files with the above extensions present in C:\\ drive only and stores them in a list named “FilesToHarm”. This list is later used for file encryption.

URL shows as “Malware” – Checked 12-09-2018

Indicators of Compromise

Registry Entry:
  • HKCU\ShrugTwo
Bitcoin Wallet Address:
  • 1Hr1grgH9ViEgUx73iRRJLVKH3PFjUteNx
hxxp://– Do not block this URL – This is used to check for an active Internet connection

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: