“Receipt_{UniqueNumber}.hta – this is the first e-mail attachment detected to cause infections with the notorious Locky virus. Locky ransomware has been via meny ransomware variants using the .odin, .zepto and .locky file extensions, but the latest variant of this virus uses the unique .shit file extension. The worst part of this is that the virus is as vulgar as it’s file extension suggests. Anyone who has been infected with the .shit file extension virus variant of Locky, should not pay the ransom fee and read the information in this article.
Download Malware Removal Tool, to See If Your System Has Been Affected By Locky Ransomware Virus and scan your system for .SHIT virus files
Locky Ransomware – Further Details
The malicious command and control servers of this variant of Locky ransomware are believed to infect people from various countries,like:
- Saudi Arabia
- France
- Poland
- United Kingdom
- Germany
- Serbia
Here is List with some of the payload download sites of .shit file extension
Not only this, but also the Locky ransomware virus has been further reported by the researcher operaions6 (Twitter: @_operations6) to be associated with the following command and control server hosts via a linuxsucks.php type of file on Port80:
- 185.102.136.77
- 91.200.14.124
- 109.234.35.215
- Bwcfinnt.work
As soon as the latest iteration of the Locky virus infects your computer, it may immediately change your wallpaper to a ransom note similar to Locky’s original ransom note in the picture below:
After this has been done, the ransomware may delete the shadow volume copies executing the following command:
→vssadmin delete-shadows /forvolume={targeted drive, usually C:} /all /quiet
The /quiet mode of of the virus aims primarily to make it delete the backups and shadow copies (file history) from the affected computer in a very specific manner without the victim noticing it.
In addition to those, the new Locky virus may add registry value strings with the actual location of it’s malicious files in the computer. The actual location of the files may be:
- %AppData%
- %Local%
- %Roaming%
- %SystemDrive%
To encrypt files, the Locky virus targets a specific pre-programmed list of file extensions, which is associated with often used files like videos, music, pictures, Microsoft Office and Adobe reader type of files. The extensions of those files may be as follows:
→.doc, .docm, .log, .pap, .info, .gdoc, .asp, .jsp, .json, .xhtml, .txt, .xls, .xlsx, .xml, .docx, .html, .js, .mdb, .odt, .asc, .conf, .msg, .rtf, .cfg, .cnf, .pdf, .php, .ppt, .pptx, .sql
The files that have been encrypted by the new Locky ransomware may added it’s distinctive .shit file extension typical for it’s variant and may look as follows:
Locky Ransomware .Shit Variant – How Did I Get Infected
The virus is being spread primarily via an .hta file that pretends to be a receipt, for example:
→ Receipt_2414_241412.hta
This malicious file does not have a high detection rate on VirusTotal suggesting it has the potential to cause immense damage.
The malicious .hta file may be spread via several different e-mail subjects, lying to users that they have purchased something from websites like eBay or Amazon and this is their receipt.
Once the file has been opened it infects the compromised computer and downloads undetected the malicious payload of the new Locky virus. To do this it may connect to the following reported remote hosts from which infections were downloaded:
→www.rawahyl(.)com/076wc
Nanrangy(.)net/076wc
Ledenergythai(.)com/076wc
Sowkinah(.)com/076wc
Cynosurejobs(.)net/076wc
3ainstrument(.)com/076wc
Grupoecointerpreis(.)com/076wc
Wamasoftware(.)com/076wc
Locky .Shit Ransowmare Variant – Conclusion, Removal and File Restoration
The bottom line is that Locky ransomware’s creators were back after a significant drop of ransomware infections by this virus. Their new virus adds a unique “.shit” file extension to the encrypted files which are no longer openable. The virus is believed to use an advanced AES encryption algorithm to scramble the code of the files and to have many added evasive techniques to it.
Not only this, but the ransomware is also believed to ask higher ransom payment, most likely in cryptocurrency like BitCoin from it’s victims. In case you have been infected by this .shit variant of Locky ransomware, it is strongly advisable to immediately remove this virus. Since manual removal may not do the job for you, unless you have an extensive experience in this virus, we advise you to delete it automatically using an advanced anti-malware tool that will do it without further damaging the encrypted files.
Unfortunately at present times there is no decryption that will help you, because of the fact that the virus is new. However, you may want to attempt uploading your files to ID ransomware and wait for researchers to come up with a free decryptor sooner or later. You may also want to try data recovery software, but DO NOT delete the encrypted files or reinstall Windows because you may need them if a free decryptor is released by malware researchers. For more news about decryptors check Kaspersky and EmsiSoft as well as Trend Micro.
Download Malware Removal Tool, to See If Your System Has Been Affected By Locky Ransomware Virus and scan your system for .SHIT virus files