Remove .SHIT Files Virus - Locky Ransomware ( March 2017 Update )

Remove .shit Files Virus (New Locky Ransomware)


The latest iteration of Locky ransomware is here. Files are encrypted with a new extension – .shit, but it is possible for other extensions to appear as well. The cryptovirus now uses HTML files (.hta) and brings back the usage of Command and Control (C&C) servers to deliver its payload file. To see how to remove the ransomware and how you can try to restore your data, read the article, carefully.

Threat Summary

NameLocky Ransomware
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts your data and then displays a ransom message with instructions for payment.
SymptomsEncrypted files will have the .shit extension appended to them.
Distribution MethodSpam Emails, C&C Servers, HTML files in the form of .hta
Detection Tool See If Your System Has Been Affected by Locky Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Locky Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Locky Ransomware – Distribution

The latest version of the Locky ransomware brings back Command and Control servers as a way for distribution. The servers are pushing the latest payload for the cryptovirus. The payload file is seen in two formats – as an HTML file or a JScript downloader. Respectively they have these extensions – .hta and .wsf / .js. Those files can be put inside .zip for a more difficult detection by security software. You can see the detections of one such file, without it being obfuscated in an archive, on the VirusTotal website:


Most of the payload files have the name Receipt with randomized numbers after it, so it seems like a legitimate receipt or invoice. You can see how the body of one such e-mail looks like below:

From: Free Haut Debit
Date: Mon, 24 Oct 2016
Subject: [Free] Notification de facture Freebox (95854808)


Vous trouverez en piece jointe votre facture Free Haut Debit.
Le total de votre facture est de 75.09 Euros.
Nous vous remercions de votre confiance.

L’equipe Free


This one is in French as France is one of the most targeted countries, along with UK, Germany, Saudi Arabia, Poland and Serbia according to malware researchers from the MalwareHunterTeam. The emails look like they contain a legitimate invoice message. The one above tries to surprise the user that he owns some company or service 75 euros. Focused on the “debt” most users who are unaware of ransomware will open the attachment to see what exactly is happening.

Another variant of a spam letter related to the newest campaign in English:

From: “Dee Compton”

Subject: Complaint letter
Date: Mon, 24 Oct 2016

Dear [Your email name],

Client sent a complaint letter regarding the data file you provided.
The letter is attached.

Please review his concerns carefully and reply him as soon as possible.

Best regards,
Dee Compton

Attachment: saved_letter_C10C6A2.js

Locky ransomware could be spread around social media and file-sharing sites, too. Avoid suspicious or unknown links, attachments and files in general. Before opening a file, always do a scan with a security application. You should read the ransomware prevention tips in our forum.

Locky Ransomware – Analysis

A new strain of the infamous Locky ransomware has been discovered. The cryptovirus brings back C2 (Command and Control) servers back into its payload distribution scheme as described above. That makes for an extremely fast delivery of the malicious script that unleashes the virus onto a compromised computer. You can preview some of the C2 servers, right here:

  • 185.102.13677:80/linuxsucks.php
  • 91.200.14124:80/linuxsucks.php
  • 109.234.35215:80/linuxsucks.php
  • bwcfinntwork:80/linuxsucks.php

However, a few versions of Locky ransomware have been observed, which also put the .shit extension, but do not use C2 servers, but a .DLL file for its entry point, making it an offline way to infect computer machines, without reaching any download location.

List with some of the payload download sites

After executing the payload, your files will get encrypted, and a ransom note will appear. A copy of the note will be made in files with the name _WHAT_is.bmp

The ransom note with instructions is set as your desktop background, and it is the same as past variants (including the grammatical errors):


The text reads the following:


All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt program, All which is on our secret server.
To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser:
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: jhomitevd2abj3fk.onion/5DYGW6MQXIPQSSBB
4. Follow the instructions on the site.
!!! Your personal identification ID: 5DYGW6MQXIPQSSBB !!!

The Locky virus links you to a network domain hidden by the TOR service (but not hosted on it). To have access to the service, you will have to put the name of an encrypted file in the provided field. The service that loads looks the same as that of its predecessors, as you can see in the image below:


The demands on the payment page is for victims to pay up around 0,5 Bitcoins which amounts to 320 US dollars. The Locky ransomware is yet to be beaten, as its encryption is very strong and researchers have not found flaws in the code of the virus. Victims of previous iterations of the ransomware have reported that they didn’t succeed in recovering their files after paying the cybercriminals. Thus, there is no reason for you to contact the crooks or think about paying them. As seen up to this moment, the criminals will continue to make more ransomware campaigns.

Files with the following extensions have been reported to get encrypted:

→.txt, .pdf, .html, .rtf, .avi, .mov, .mp3, .mp4, .dwg, .psd, .svg, .indd, .cpp, .pas, .php, .java, .jpg, .jpeg, .bmp, .tiff, .png, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .yuv, .ycbcra, .xis, .wpd, .tex, .sxg, .stx, .srw, .srf, .sqlitedb, .sqlite3, .sqlite, .sdf, .sda, .s3db, .rwz, .rwl, .rdb, .rat, .raf, .qby, .qbx, .qbw, .qbr, .qba, .psafe3, .plc, .plus_muhd, .pdd, .oth, .orf, .odm, .odf, .nyf, .nxl, .nwb, .nrw, .nop, .nef, .ndd, .myd, .mrw, .moneywell, .mny, .mmw, .mfw, .mef, .mdc, .lua, .kpdx, .kdc, .kdbx, .jpe, .incpas, .iiq, .ibz, .ibank, .hbk, .gry, .grey, .gray, .fhd, .ffd, .exf, .erf, .erbsql, .eml, .dxg, .drf, .dng, .dgc, .des, .der, .ddrw, .ddoc, .dcs, .db_journal, .csl, .csh, .crw, .craw, .cib, .cdrw, .cdr6, .cdr5, .cdr4, .cdr3, .bpw, .bgt, .bdb, .bay, .bank, .backupdb, .backup, .back, .awg, .apj, .ait, .agdl, .ads, .adb, .acr, .ach, .accdt, .accdr, .accde, .vmxf, .vmsd, .vhdx, .vhd, .vbox, .stm, .rvt, .qcow, .qed, .pif, .pdb, .pab, .ost, .ogg, .nvram, .ndf, .m2ts, .log, .hpp, .hdd, .groups, .flvv, .edb, .dit, .dat, .cmt, .bin, .aiff, .xlk, .wad, .tlg, .say, .sas7bdat, .qbm, .qbb, .ptx, .pfx, .pef, .pat, .oil, .odc, .nsh, .nsg, .nsf, .nsd, .mos, .indd, .iif, .fpx, .fff, .fdb, .dtd, .design, .ddd, .dcr, .dac, .cdx, .cdf, .blend, .bkp, .adp, .act, .xlr, .xlam, .xla, .wps, .tga, .pspimage, .pct, .pcd, .fxg, .flac, .eps, .dxb, .drw, .dot, .cpi, .cls, .cdr, .arw, .aac, .thm, .srt, .save, .safe, .pwm, .pages, .obj, .mlb, .mbx, .lit, .laccdb, .kwm, .idx, .html, .flf, .dxf, .dwg, .dds, .csv, .css, .config, .cfg, .cer, .asx, .aspx, .aoi, .accdb, .7zip, .xls, .wab, .rtf, .prf, .ppt, .oab, .msg, .mapimail, .jnt, .doc, .dbx, .contact, .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .wallet, .upk, .sav, .ltx, .litesql, .litemod, .lbf, .iwi, .forge, .das, .d3dbsp, .bsa, .bik, .asset, .apk, .gpg, .aes, .arc, .paq, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .nef, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .mdb, .sql, .sqlitedb, .sqlite3, .pst, .onetoc2, .asc, .lay6, .lay, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .dot, .max, .xml, .txt, .csv, .uot, .rtf, .pdf, .xls, .ppt, .stw, .sxw, .ott, .odt, .doc, .pem, .csr, .crt, .key

Those are around 400 different extensions. Encrypted files will have the .shit extension appended to the end of their name. The encryption algorithm that is claimed to be used by Locky is RSA-2048 with AES 128-bit ciphers.

This newest sample of Locky ransomware is highly likely to erase the Shadow Volume Copies on the Windows operating system via the following command:

→vssadmin.exe delete shadows /all /Quiet

Keep on reading to see how to remove the ransomware and to see what methods you can try to decrypt some of your file data.

Remove Locky Virus and Restore .shit Files

If your computer got infected with the Locky ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Locky Ransomware.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share