Skip to Main Content
How to shrug off the Shrug ransomware

How to shrug off the Shrug ransomware

Ransomware is the kind of malware a lot of people dread. It encrypts your files so you cannot access them anymore and demands a payment (most of the time in bitcoins) that’s always way too high.

Shrug is such a kind of malware: Once on your PC it demands $50 in Bitcoins so you can get your files back. Luckily for everyone you don’t actually have to pay up – the cybercriminals are installing the key to decrypt your files with the ransomware itself.

What is Shrug?

Shrug gets on the victims PC like a lot of malware does: embedded in fake apps. As soon as it is on the system it gets to work, starts encrypting the files, and appends them with the “.shrug” extension. As soon as this is done one basically does not have any access to the file anymore and the usual ransomware message pops up.

In Shrugs case the demanded ransom is about 50 dollar – but while that’s probably not a lot of money for your files you should never pay up. Chances that you’ll get the encrypted files back are minimal to nil. Luckily with Shrug you actually have another option.

How to remove Shrug from your system

First off you should actually make sure that ransomware NEVER finds its way on your PC. Up-to-date software and a good antivirus protection can help you with that, so make sure you are covered.

Ransomware developers normally make sure that they put the keys needed to encrypt the files on an online server far away from their victims. After all they want them to pay up. According to ZDNet that’s not the case for Shrug. Malware researchers from LMNTRIX have discovered that the cybercriminals behind Shrug have left the key in the registry – unencrypted and ready to use to safe your files.

To do so just follow the 5 easy steps outlined below:

  • Restart your PC to terminate the ransomware process that is locking your mouse and keyboard
  • Navigate to the Shrug ransomware installer path located at: C:\Users\<Your PC Username>\AppData\Local\Temp\shrug.exe. Exchange <Your PC Username> with whatever you use as a username. Permanently delete the file by pressing Shift and Delete
  • Open the Windows search panel and type in “Run”. This opens the run app.
  • Enter Regedit to access the Windows Registry and then type in: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • Identify the Key value titled “Shrug” and delete it. Empty your recycle bin as well.

That’s it. After restarting your PC you should hopefully be rid of the ransomware.

This post is also available in: German

PR & Social Media Manager @ Avira |Gamer. Geek. Tech addict.