Tuesday, May 6, 2025
HomeRansomwareA New .NET Ransomware Shrug2 Encrypts Files Around 76 Different Extensions

A New .NET Ransomware Shrug2 Encrypts Files Around 76 Different Extensions

Published on

SIEM as a Service

Follow Us on Google News

Malware authors find easy to develop malware using the Microsoft .Net framework, some infamous ransomware like SamSam, Lime and now Shrug2 ransomware have been found built with .NET framework.

Shrug ransomware first appeared wild on July 6 embedded with fake software and gaming apps, now it appears it is coming back again with added features.

Quick heal spotted a new version of the ransomware dubbed Shrug2 developed in .NET framework. It attack’s the victim’s machine and demands ransom payments of 70$ in Bitcoins to decrypt the files.

- Advertisement - Google News

Shrug2 Ransomware Infection

Shrug2 ransomware distributed through Infection Vector such as Phishing Email, Email Attachments, RDP, Embedded Hyperlink, Drive by Infection and Websites & Downloads.

The infection vector of the ransomware is still unknown, once the ransomware infects the victim machine it checks for the active internet connection in the victim machine.

If the victim machine connected to the Internet then it check’s whether the system is already infected with SHRUG2 by checking the registry.

Shrug ransomware

If the system is not infected then it create’s registry entry “[ShrugTwo]” and then it reads the date and time when the ransomware infected the machine and based on that it shows the time left to decrypt the file. It uses AES256 bit key to encrypt the files.

Shrug ransomware

As like any other ransomware it also deletes the system restore points and grants execute a command to all directories and sub-directories.

The ransomware is capable of encrypting 76 file formats.

“txt, .docx, .xls, .doc, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .jpeg, .csv, .mdb, .db, .sln,
.html, .php, .asp, .aspx, .html, .xml, .json, .dat, .cpp, .cs, .c, .js, .java, .mp4, .ogg, .mp3,
.wmv, .avi, .gif, .mpeg, .msi, .rar, .7zip, .z, .apk, .yml, .qml, .py3, .aif, .cda, .mpa, .wpl,
.mid, .pkg, .deb, .arj, .rpm, .gz, .dbf, .yml, .tar, .pl, .rb, .ico, .tif, .asp, .xhtml, .rss,
.jsp, .htm, .o, .zip, .midi, .tiff, .tiff, .midi, .zip, .tar.gz, .pyw, .bmp, .sql, .psd, .7z”

It enumerates the files and creates a to [FilesToHarm] list to encrypt the files and the same list can be used to decrypt the files if the ransom is paid or to delete.

Shrug ransomware

Once the file’s encrypted it add’s “[.]SHRUG2″, and it shows the ransom note and the time left to decrypt the file. The ransomware is also capable of deleting the files if the ransom is not paid.

Quick Heal Security Labs published a blog post with Technical Analysis and Indicators of compromise.

What next: if you’re Infected

  • Disconnect the Network.
  • Determine the Scope.
  • Understand the version or Type of Ransomware.
  • Determine the Strains of Ransomware.

Mitigation

  • Use Strong Firewall to block the command & control server callbacks.
  • Scan all your emails for malicious links, content, and attachment.
  • Block the adds and unnecessary web content.
  • Enforce access control permission.
  • Take regular backups of your data.

Also Read

Ransomware Attack Response and Mitigation Checklist

Ransomware-as-a-Service – Princess Evolution Ransomware Advertised in Underground Forums

Police Department Infected Again by Ransomware Attack that Already Locked 1 Year of Work-Related Files

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Popular Instagram Blogger’s Account Hacked to Phish Users and Steal Banking Credentials

A high-profile Russian Instagram blogger recently fell victim to a sophisticated cyberattack, where scammers...

Ransomware Attacks on Food & Agriculture Industry Surge 100% – 84 Attacks in Just 3 Months

The food and agriculture industry is facing an unprecedented wave of cybersecurity threats in...

Microsoft 365 Copilot and Office Apps Now Protected by SafeLinks at Click Time

Microsoft announced a major update aimed at bolstering the cybersecurity of its flagship AI-powered...

Hackers Targeting Schools and Universities in New Mexico with Cyber Attacks

A major cyberattack on the Coweta County School System's computer network occurred late Friday night, which is a worrying development for New Mexico's educational institutions. The unauthorized intrusion, detected around 7:00 p.m., prompted immediate action from the school...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Ransomware Attacks on Food & Agriculture Industry Surge 100% – 84 Attacks in Just 3 Months

The food and agriculture industry is facing an unprecedented wave of cybersecurity threats in...

Initial Access Brokers Play a Vital Role in Modern Ransomware Attacks

The ransomware threat landscape has evolved dramatically in recent years, with specialized cybercriminals like...

DragonForce Ransomware Targets Major UK Retailers, Including Harrods, Marks & Spencer, and Co-Op

Major UK retailers including Harrods, Marks and Spencer, and Co-Op are currently experiencing significant...