Shrug2 .NET Ransomware

Quick Heal Security Labs has published a report on ransomware they have dubbed Shrug2. The ransomware is built on the .NET framework. Quick Heal has observed an increase in ransomware based on the .NET framework. Shrug2 targets some 76 file types and encrypts them using the AES256 algorithm in Cipher Block Chaining mode and adds the extension “.SHRUG2” to the encrypted files. The ransom demand is for $70 worth of Bitcoin. Shrug2 is detected by multiple vendors; however, different names are applied. Refer to the VirusTotal link in the Detection section for further details. For a complete technical analysis of the malware, see the Quick Heal article.

This ransomware encrypts files with around 76 different extensions. The list of extension is as follows:

“txt, .docx, .xls, .doc, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .jpeg, .csv, .mdb, .db, .sln,     .html, .php, .asp, .aspx, .html, .xml, .json, .dat, .cpp, .cs, .c, .js, .java, .mp4, .ogg,     .mp3, .wmv, .avi, .gif, .mpeg, .msi, .rar, .7zip, .z, .apk, .yml, .qml, .py3, .aif, .cda,     .mpa, .wpl, .mid, .pkg, .deb, .arj, .rpm, .gz, .dbf, .yml, .tar, .pl, .rb, .ico, .tif, .asp,     .xhtml, .rss, .jsp, .htm, .o, .zip, .midi, .tiff, .tiff, .midi, .zip, .tar.gz, .pyw, .bmp, .sql,   .psd, .7z”

The ransomware enumerates all files with the above extensions present in C:\\ drive only and stores them in a list named “FilesToHarm”. This list is later used for file encryption.

Indicators of Compromise

• 04112aec47401c3d91a92cfdf9de02e6

• HKCU\ShrugTwo

• 1Hr1grgH9ViEgUx73iRRJLVKH3PFjUteNx