On August 15, 2018, MalwareHunterTeam reported on their Twitter account about another Hidden Tear virus variant called ShutUpAndDance. This ransomware virus seems to be a typical crypto demanding threat like its other Github open-source malware project brothers AndreaGalli, PooleZoor, Sorry, Horros, Krypton, LanRan. It encrypts victim’s files with AES cipher, appends .ShutUpAndDance extension to their names and drops a READ_IT.txt ransom note with directions to contact the crooks for file recovery (the amount of ransom is not known).
Shutupanddance Ransomware quicklinks
- What is ShutUpAndDance virus
- Where is ShutUpAndDance ransomware distributed
- How to deal with ShutUpAndDance ransomware
- Automatic Malware removal tools
- How to remove ShutUpAndDance virus and restore files
- How to recover ShutUpAndDance ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover ShutUpAndDance ransomware encrypted files
While this seems like any other crypto extortionist, the developer of ShutUpAndDance made a few security mistakes, like leaving the PDB file (program database file that is from the same directory as the compiled ransomware executable), and disclosing some of his own information. Apart from that, ShutUpAndDance ransomware is still a notorious virus that needs a special treatment and knowledge of techniques to restore the encrypted files. That is why in this article we have put together facts and instructions on how to take care of ShutUpAndDance virus caused issues.
What is ShutUpAndDance virus
As we mentioned above, ShutUpAndDance Ransomware is not a unique virus, but an altered copy of a sample of HiddenTear ransomware which was posted as a learning material on Github and has been misused by hackers till these days. As the original file ShutUpAndDance performs by the book and most likely because the developer does not have strong technical abilities.
Basically, after infecting the computer through a spam email, the launched executable file silently runs in the background, modifying Windows registry keys, so that antivirus would not detect it, to get persistence after Windows restart and at the same time encrypting files with an AES cipher, that are from a targeted type (personal documents in .pdf, .doc, .mp3, .jpg and etc.). Then it adds the .ShutUpAndDance string to the locked files names (‘bestsong.mp3’ becomes ‘bestsong.mp3.ShutUpAndDance’) and drops the ransom note to explain the situation for the victim and to push them to pay the crooks the ransom. (More details on How cryptography and malware make ransomware).
The displayed FSociety themed ransom message, READ_IT.txt, gives an impression of a serious, anonymous and skilled hacker, but in reality, the developer failed to leave out the PDB file which shows the same directory in his computer where the ShutUpAndDance virus was compiled (C:\Users\Elprofesor\Desktop\virus\Hidden-tear-2.0-master\hidden-tear\hidden-tear\obj\Debug\adobe.pdb) as well as giving away information from the C2 server name (Command and Control server which generates the encryption key and does the encryption and decryption) tracing the ShutUpAndDance to Mexico (siga.semarnath.gob. mx).
This is what the original ransom note READ_IT.txt says:
WE SAW WHAT YOU DID.
YOUR FILES ARE ENCRYPTED!
SEND US AN EMAIL FOR INSTRUCTIONS
While there is a lot to learn for the developer from its mistakes about anonymity, ShutUpAndDance is still capable of locking files and its installation file named ‘adobe.exe’ marked as a dangerous threat by many antivirus programs in VirusTotal analysis. If you’d like to learn more about the way ransomware works take a look at this Article or just skip to the removal part to finally get rid of the annoying and scary ShutUpAndDance ransomware permanently.
Where is ShutUpAndDance ransomware distributed
There are a lot of Distribution methods that ransomware viruses spread, however knowing the skillset of ShutUpAndDance virus developer, the most probable and easiest way of distribution is Phishing. Spam emails do not require much of the technical knowledge like exploit kits, P2P network infecting and etc, but it requires good social engineering and convincing capabilities. ShutUpAndDance ransomware spreads by distributing adobe.exe named file.
In order to infect the computer virus needs the victim to click on a malicious link or attached file to launch the attack, and this can be done by writing a believable bogus message, which will make the user open the file. Usually, its a bank alert, invoice, invitation, update which require attention, unusual account activity information, data from the hospital and etc. These emails are pretty short with direction to the malicious content, which supposedly has more details. But once clicked on or enabled macros, the computer files get locked down. Therefore, just by using simple awareness and checking the sender people can avoid ransomware attacks like ShutUpAndDance virus, but checking the Ultimate prevention guide is the best time investment for the future.
How to deal with ShutUpAndDance ransomware
The easiest way to get rid of ShutUpAndDance if you do not feel like you are easy to follow long instructions or don’t have time is to use Spyhunter software. These are anti-spyware tools that have been developed years ago and perfected till now to hunt all the threats no matter if it is only a browser hijacker or on the contrary the difficult ransomware and terminate them as effectively and clean as possible. That sometimes is hard to achieve manually, furthermore, the detection feature is irreplaceable, since these malware removal programs can find ShutUpAndDance, as well as other parasites that crept in at the same time, from the most secret and distant corners of your PC.
Automatic Malware removal tools
How to remove ShutUpAndDance virus and restore files
The alternative ShutUpAndDance virus removal method is a manual removal, which requires some basic computer knowledge and ability to follow our instructions thoroughly. Below, you will find not only the guide on how to get rid of ShutUpAndDance ransomware but also tips on how to restore locked files. Since this virus is just a copy of Hidden Tear project you could try the common Decryption software for this type of viruses. If not then take a look on how to recover your encrypted data from Shadow Copies and with other programs mentioned in the guide below.
How to recover ShutUpAndDance ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before ShutUpAndDance ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of ShutUpAndDance ransomwareAfter restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to ShutUpAndDance ransomware. You can check other tools here.
Step 3. Restore ShutUpAndDance ransomware affected files using Shadow Volume CopiesIf you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually ShutUpAndDance ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover ShutUpAndDance ransomware encrypted filesThere are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.