The latest iteration of Locky ransomware is here. Files are encrypted with a new extension – .shit, but it is possible for other extensions to appear as well. The cryptovirus now uses HTML files (.hta) and brings back the usage of Command and Control (C&C) servers to deliver its payload file. To see how to remove the ransomware and how you can try to restore your data, read the article, carefully.
|Short Description||The ransomware encrypts your data and then displays a ransom message with instructions for payment.|
|Symptoms||Encrypted files will have the .shit extension appended to them.|
|Distribution Method||Spam Emails, C&C Servers, HTML files in the form of .hta|
|Detection Tool|| See If Your System Has Been Affected by Locky Ransomware |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Locky Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Locky Ransomware – Distribution
The latest version of the Locky ransomware brings back Command and Control servers as a way for distribution. The servers are pushing the latest payload for the cryptovirus. The payload file is seen in two formats – as an HTML file or a JScript downloader. Respectively they have these extensions – .hta and .wsf / .js. Those files can be put inside .zip for a more difficult detection by security software. You can see the detections of one such file, without it being obfuscated in an archive, on the VirusTotal website:
Most of the payload files have the name Receipt with randomized numbers after it, so it seems like a legitimate receipt or invoice. You can see how the body of one such e-mail looks like below:
From: Free Haut Debit
Date: Mon, 24 Oct 2016
Subject: [Free] Notification de facture Freebox (95854808)
Vous trouverez en piece jointe votre facture Free Haut Debit.
Le total de votre facture est de 75.09 Euros.
Nous vous remercions de votre confiance.
This one is in French as France is one of the most targeted countries, along with UK, Germany, Saudi Arabia, Poland and Serbia according to malware researchers from the MalwareHunterTeam. The emails look like they contain a legitimate invoice message. The one above tries to surprise the user that he owns some company or service 75 euros. Focused on the “debt” most users who are unaware of ransomware will open the attachment to see what exactly is happening.
Another variant of a spam letter related to the newest campaign in English:
From: “Dee Compton”
Subject: Complaint letter
Date: Mon, 24 Oct 2016
Dear [Your email name],
Client sent a complaint letter regarding the data file you provided.
The letter is attached.
Please review his concerns carefully and reply him as soon as possible.
Locky ransomware could be spread around social media and file-sharing sites, too. Avoid suspicious or unknown links, attachments and files in general. Before opening a file, always do a scan with a security application. You should read the ransomware prevention tips in our forum.
Locky Ransomware – Analysis
A new strain of the infamous Locky ransomware has been discovered. The cryptovirus brings back C2 (Command and Control) servers back into its payload distribution scheme as described above. That makes for an extremely fast delivery of the malicious script that unleashes the virus onto a compromised computer. You can preview some of the C2 servers, right here:
However, a few versions of Locky ransomware have been observed, which also put the .shit extension, but do not use C2 servers, but a .DLL file for its entry point, making it an offline way to infect computer machines, without reaching any download location.
After executing the payload, your files will get encrypted, and a ransom note will appear. A copy of the note will be made in files with the name _WHAT_is.bmp
The ransom note with instructions is set as your desktop background, and it is the same as past variants (including the grammatical errors):
The text reads the following:
!!! IMPORTANT INFORMATION !!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt program, All which is on our secret server.
To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: jhomitevd2abj3fk.onion/5DYGW6MQXIPQSSBB
4. Follow the instructions on the site.
!!! Your personal identification ID: 5DYGW6MQXIPQSSBB !!!
The Locky virus links you to a network domain hidden by the TOR service (but not hosted on it). To have access to the service, you will have to put the name of an encrypted file in the provided field. The service that loads looks the same as that of its predecessors, as you can see in the image below:
The demands on the payment page is for victims to pay up around 0,5 Bitcoins which amounts to 320 US dollars. The Locky ransomware is yet to be beaten, as its encryption is very strong and researchers have not found flaws in the code of the virus. Victims of previous iterations of the ransomware have reported that they didn’t succeed in recovering their files after paying the cybercriminals. Thus, there is no reason for you to contact the crooks or think about paying them. As seen up to this moment, the criminals will continue to make more ransomware campaigns.
Files with the following extensions have been reported to get encrypted:
→.txt, .pdf, .html, .rtf, .avi, .mov, .mp3, .mp4, .dwg, .psd, .svg, .indd, .cpp, .pas, .php, .java, .jpg, .jpeg, .bmp, .tiff, .png, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .yuv, .ycbcra, .xis, .wpd, .tex, .sxg, .stx, .srw, .srf, .sqlitedb, .sqlite3, .sqlite, .sdf, .sda, .s3db, .rwz, .rwl, .rdb, .rat, .raf, .qby, .qbx, .qbw, .qbr, .qba, .psafe3, .plc, .plus_muhd, .pdd, .oth, .orf, .odm, .odf, .nyf, .nxl, .nwb, .nrw, .nop, .nef, .ndd, .myd, .mrw, .moneywell, .mny, .mmw, .mfw, .mef, .mdc, .lua, .kpdx, .kdc, .kdbx, .jpe, .incpas, .iiq, .ibz, .ibank, .hbk, .gry, .grey, .gray, .fhd, .ffd, .exf, .erf, .erbsql, .eml, .dxg, .drf, .dng, .dgc, .des, .der, .ddrw, .ddoc, .dcs, .db_journal, .csl, .csh, .crw, .craw, .cib, .cdrw, .cdr6, .cdr5, .cdr4, .cdr3, .bpw, .bgt, .bdb, .bay, .bank, .backupdb, .backup, .back, .awg, .apj, .ait, .agdl, .ads, .adb, .acr, .ach, .accdt, .accdr, .accde, .vmxf, .vmsd, .vhdx, .vhd, .vbox, .stm, .rvt, .qcow, .qed, .pif, .pdb, .pab, .ost, .ogg, .nvram, .ndf, .m2ts, .log, .hpp, .hdd, .groups, .flvv, .edb, .dit, .dat, .cmt, .bin, .aiff, .xlk, .wad, .tlg, .say, .sas7bdat, .qbm, .qbb, .ptx, .pfx, .pef, .pat, .oil, .odc, .nsh, .nsg, .nsf, .nsd, .mos, .indd, .iif, .fpx, .fff, .fdb, .dtd, .design, .ddd, .dcr, .dac, .cdx, .cdf, .blend, .bkp, .adp, .act, .xlr, .xlam, .xla, .wps, .tga, .pspimage, .pct, .pcd, .fxg, .flac, .eps, .dxb, .drw, .dot, .cpi, .cls, .cdr, .arw, .aac, .thm, .srt, .save, .safe, .pwm, .pages, .obj, .mlb, .mbx, .lit, .laccdb, .kwm, .idx, .html, .flf, .dxf, .dwg, .dds, .csv, .css, .config, .cfg, .cer, .asx, .aspx, .aoi, .accdb, .7zip, .xls, .wab, .rtf, .prf, .ppt, .oab, .msg, .mapimail, .jnt, .doc, .dbx, .contact, .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .wallet, .upk, .sav, .ltx, .litesql, .litemod, .lbf, .iwi, .forge, .das, .d3dbsp, .bsa, .bik, .asset, .apk, .gpg, .aes, .arc, .paq, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .nef, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .mdb, .sql, .sqlitedb, .sqlite3, .pst, .onetoc2, .asc, .lay6, .lay, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .dot, .max, .xml, .txt, .csv, .uot, .rtf, .pdf, .xls, .ppt, .stw, .sxw, .ott, .odt, .doc, .pem, .csr, .crt, .key
Those are around 400 different extensions. Encrypted files will have the .shit extension appended to the end of their name. The encryption algorithm that is claimed to be used by Locky is RSA-2048 with AES 128-bit ciphers.
This newest sample of Locky ransomware is highly likely to erase the Shadow Volume Copies on the Windows operating system via the following command:
→vssadmin.exe delete shadows /all /Quiet
Keep on reading to see how to remove the ransomware and to see what methods you can try to decrypt some of your file data.
Remove Locky Virus and Restore .shit Files
If your computer got infected with the Locky ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Locky Ransomware.