A new iteration of the notorious Locky virus, which was previously known also as Zepto, Odin and Bart has come out into the open. For those who are unfamiliar of the virus, it is a ransomware type of threat which is known for it’s strong encryption algorithms it uses to scramble files of the computers the virus has infected. In addition to this, Locky ransomware also uses a ransom note which It may change to the wallpaper notifying victims to pay a hefty ransom fee to get their files back via a unique decryption software held only by the cyber-crooks. Researchers strongly advise anyone who has been infected by locky ransomware to immediately seek for alternative methods to restore their files and remove the .shit ransomware variant of Locky using the information in this article.
More Information about Locky’s New .shit Variant
The latest variant of this virus relies on C2 servers (Command and Control) to control the virus and many hosts linked to those servers for spreading the virus. In addition to this, the payload of the virus features two formats – HTML type of file and JavaScript downloader malware. Not only this, but the files also have two extensions that make them more evasive. The file extensions .hta for the HTML type of file and .wsf for the Java Downloader are being used. They are also concealed under a unique .zip type of files that may conceal the infection files from any spam filters or e-mail protection software.
Not only this, but the payload of the files also have the name Receipt which has random numbers and letters and aims to resemble an actual receipt from a product or service that has been purchased. This clever technique to motivate victims in order to pay the ransom is a very cunning one, because anyone will get curious especially if they do not realize they have actually paid for something.
But the virus may not only be replicated via e-mail. It may also be posted on comments and other unique websites that allow users to post web links. Such web links may themselves be legitimate to avoid detection, but they may also contain a malicious script that may cause an infection by redirecting the user from the “legitimate” web link to a malicious one.
As soon as the Locky virus slithers onto your computer, it may cause a restart and begin encrypting files on Windows Boot Up.
To encrypt the files the .shit version of Locky ransomware scans for those type of files that you may mostly use, such as:
- Your videos.
- Audio files.
- The pictures.
- All of the Microsoft Office documents.
- Adobe Reader, Photoshop and other files associated with often used type of programs.
When Locky has finished encrypting the files of the infected computer, the next step is to add the .shit file extension, making it distinctive. Files encrypted by the .shit virus also become irrecoverable primarily because of the fact that their structure code is changed. This is achievable by a unique encryption algorithm, which researchers believe to be RSA or AES encryption, or even both used together. As soon as Locky encrypts the files, it sends unique decryption keys to the following command and control hosts:
- 185.102.136.77
- 91.200.14.124
- 109.234.35.215
- Bwcfinnt.work
Bear In mind that these hosts may not be actual ones since they might be hidden behind VPN tunnels or proxies.
Locky Ransomware’s .shit Variant – Conclusion and File Restoration
The bottom line is that Locky is back and it’s latest .shit file extension virus variant is no joke, just like every other Locky ever created. Since alongside Cerber ransomware and CryptoWall this is one of the big players in the ransomware markets, researchers will surely look for a way to break this virus using flaws in it’s code and develop a free decryptor. However, there has not been a decrypter developed for any Locky ransomware variant so far.
And recently, malware researchers have discovered more countries affected by the virus, suggesting this is a massive ongoing infection campaign:
- Brazil.
- Portugal.
- Switzerland.
- Jordan.
- Slovakia.
- Belgium.
- Turkey.
- Finland.
- Bosnia and Herzegovina.
- Denmark.
With these new discoveries, the countries infected by the virus become more.
This is why it is important to protect yourself from any infections of the virus by installing an advanced anti-malware program that contains a real-time-shield against such Locky .shit ransomware.
Download Malware Removal Tool, to See If Your System Has Been Affected By Locky Ransomware Virus and scan your system for .SHIT virus files