THREAT REMOVAL

The latest iteration of Locky ransomware is here. Files are encrypted with a new extension – .shit, but it is possible for other extensions to appear as well. The cryptovirus now uses HTML files (.hta) and brings back the usage of Command and Control (C&C) servers to deliver its payload file. To see how to remove the ransomware and how you can try to restore your data, read the article, carefully.

Threat Summary Name Locky Ransomware Type Ransomware, Cryptovirus Short Description The ransomware encrypts your data and then displays a ransom message with instructions for payment. Symptoms Encrypted files will have the .shit extension appended to them. Distribution Method Spam Emails, C&C Servers, HTML files in the form of .hta Detection Tool See If Your System Has Been Affected by malware Download Malware Removal Tool User Experience Join Our Forum to Discuss Locky Ransomware. Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Locky Ransomware – Distribution

The latest version of the Locky ransomware brings back Command and Control servers as a way for distribution. The servers are pushing the latest payload for the cryptovirus. The payload file is seen in two formats – as an HTML file or a JScript downloader. Respectively they have these extensions – .hta and .wsf / .js. Those files can be put inside .zip for a more difficult detection by security software. You can see the detections of one such file, without it being obfuscated in an archive, on the VirusTotal website:

Most of the payload files have the name Receipt with randomized numbers after it, so it seems like a legitimate receipt or invoice. You can see how the body of one such e-mail looks like below:

From: Free Haut Debit

Date: Mon, 24 Oct 2016

Subject: [Free] Notification de facture Freebox (95854808) Bonjour, Vous trouverez en piece jointe votre facture Free Haut Debit.

Le total de votre facture est de 75.09 Euros.

Nous vous remercions de votre confiance. L’equipe Free Attachment: Facture_Free_201610_6292582_95854808.zip

This one is in French as France is one of the most targeted countries, along with UK, Germany, Saudi Arabia, Poland and Serbia according to malware researchers from the MalwareHunterTeam. The emails look like they contain a legitimate invoice message. The one above tries to surprise the user that he owns some company or service 75 euros. Focused on the “debt” most users who are unaware of ransomware will open the attachment to see what exactly is happening.

Another variant of a spam letter related to the newest campaign in English:

From: “Dee Compton” Subject: Complaint letter

Date: Mon, 24 Oct 2016 Dear [Your email name], Client sent a complaint letter regarding the data file you provided.

The letter is attached. Please review his concerns carefully and reply him as soon as possible. Best regards,

Dee Compton Attachment: saved_letter_C10C6A2.js

Locky ransomware could be spread around social media and file-sharing sites, too. Avoid suspicious or unknown links, attachments and files in general. Before opening a file, always do a scan with a security application. You should read the ransomware prevention tips in our forum.

Locky Ransomware – Analysis

A new strain of the infamous Locky ransomware has been discovered. The cryptovirus brings back C2 (Command and Control) servers back into its payload distribution scheme as described above. That makes for an extremely fast delivery of the malicious script that unleashes the virus onto a compromised computer. You can preview some of the C2 servers, right here:

185.102.13677:80/linuxsucks.php

91.200.14124:80/linuxsucks.php

109.234.35215:80/linuxsucks.php

bwcfinntwork:80/linuxsucks.php

However, a few versions of Locky ransomware have been observed, which also put the .shit extension, but do not use C2 servers, but a .DLL file for its entry point, making it an offline way to infect computer machines, without reaching any download location.

List with some of the payload download sites http://alkanshop.com/zrwcx8om

http://bwocc.org/dkttu

http://circolorisveglio.com/dw2hheb

http://cz1321.com/zg4c4m

http://disneyrentalvillas.com/k2ars5j2

http://downtownlaoffice.com/ixmh1

http://duvalitatli.com/umx3btc1

http://executivegolfmanagement.com/qtzsegm6

http://firephonesex.com/bxuobuam

http://fjbszl.com/m4q1pmr5

http://fraildata.net/09rz1jcj

http://fraildata.net/4s1szk77

http://fraildata.net/9b8cba

http://getitsold.info/cndrdsu9

http://girlsoffire.com/d2k0b967

http://gruffcrimp.com/352gr0

http://gruffcrimp.com/5inrze

http://gruffcrimp.com/8vzak

http://gruffcrimp.com/bki56h

http://gunnisonkoa.com/d5cw6

http://gzxyz.net/zznej

http://hetaitop.com/pgq8e

http://iwebmediasavvy.com/eu7mq36w

http://jejui.com/j1ldsf

http://julianhand.com/hollu

http://jzmkj.net/y7tf2

http://kak-vernut-devushku.gq/rwlr9

http://kirijones.net/2b8fnrqm

http://kirijones.net/4v7574mp

http://kirijones.net/66wey

http://kirijones.net/a2r3pme

http://nightpeople.co.il/o8le7

http://onlysalz.com/xjo100

http://pblossom.com/t78u8

http://potchnoun.com/06p2vxua

http://potchnoun.com/38j2xn

http://potchnoun.com/8x2nt

http://privateclubmag.com/wyztr73

http://prodesc.net/x7nlxq

http://relentlesspt.com/faisexor

http://riyuegu.net/o69ecb

http://royallife.co.uk/mx5nck

http://ryanrandom.com/hwv97p8

http://sexybliss.co.uk/en8ds7nt

http://taiyuwanli.com/cpkd9

http://theleadershipdoc.com/wm1bv

http://turservice.xaker007.net/k92b92

http://ukdistributionservices.com/x1397

http://vowedbutea.net/2f1okfif

http://vowedbutea.net/5491o

http://vowedbutea.net/8jtnj8nt

http://vowedbutea.net/apupuyh3

http://xn--b1aajgfxm2a9g.xn--p1ai/dxd3v

http://yourrealestateconnection.us/rlfh0

After executing the payload, your files will get encrypted, and a ransom note will appear. A copy of the note will be made in files with the name _WHAT_is.bmp

The ransom note with instructions is set as your desktop background, and it is the same as past variants (including the grammatical errors):

The text reads the following:

!!! IMPORTANT INFORMATION !!! All of your files are encrypted with RSA-2048 and AES-128 ciphers.

More information about the RSA and AES can be found here:

https://en.wikipedia.org/wiki/RSA_(cryptosystem)

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Decrypting of your files is only possible with the private key and decrypt program, All which is on our secret server.

To receive your private key follow one of the links:

1. http://jhomitevd2abj3fk.tor2web.org/5DYGW6MQXIPQSSBB

2. http://jhomitevd2abj3fk.onion.to/5DYGW6MQXIPQSSBB

If all of this addresses are not available, follow these steps:

1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html

2. After a successful installation, run the browser and wait for initialization.

3. Type in the address bar: jhomitevd2abj3fk.onion/5DYGW6MQXIPQSSBB

4. Follow the instructions on the site.

!!! Your personal identification ID: 5DYGW6MQXIPQSSBB !!!

The Locky virus links you to a network domain hidden by the TOR service (but not hosted on it). To have access to the service, you will have to put the name of an encrypted file in the provided field. The service that loads looks the same as that of its predecessors, as you can see in the image below:

The demands on the payment page is for victims to pay up around 0,5 Bitcoins which amounts to 320 US dollars. The Locky ransomware is yet to be beaten, as its encryption is very strong and researchers have not found flaws in the code of the virus. Victims of previous iterations of the ransomware have reported that they didn’t succeed in recovering their files after paying the cybercriminals. Thus, there is no reason for you to contact the crooks or think about paying them. As seen up to this moment, the criminals will continue to make more ransomware campaigns.

Files with the following extensions have been reported to get encrypted:

→.txt, .pdf, .html, .rtf, .avi, .mov, .mp3, .mp4, .dwg, .psd, .svg, .indd, .cpp, .pas, .php, .java, .jpg, .jpeg, .bmp, .tiff, .png, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .yuv, .ycbcra, .xis, .wpd, .tex, .sxg, .stx, .srw, .srf, .sqlitedb, .sqlite3, .sqlite, .sdf, .sda, .s3db, .rwz, .rwl, .rdb, .rat, .raf, .qby, .qbx, .qbw, .qbr, .qba, .psafe3, .plc, .plus_muhd, .pdd, .oth, .orf, .odm, .odf, .nyf, .nxl, .nwb, .nrw, .nop, .nef, .ndd, .myd, .mrw, .moneywell, .mny, .mmw, .mfw, .mef, .mdc, .lua, .kpdx, .kdc, .kdbx, .jpe, .incpas, .iiq, .ibz, .ibank, .hbk, .gry, .grey, .gray, .fhd, .ffd, .exf, .erf, .erbsql, .eml, .dxg, .drf, .dng, .dgc, .des, .der, .ddrw, .ddoc, .dcs, .db_journal, .csl, .csh, .crw, .craw, .cib, .cdrw, .cdr6, .cdr5, .cdr4, .cdr3, .bpw, .bgt, .bdb, .bay, .bank, .backupdb, .backup, .back, .awg, .apj, .ait, .agdl, .ads, .adb, .acr, .ach, .accdt, .accdr, .accde, .vmxf, .vmsd, .vhdx, .vhd, .vbox, .stm, .rvt, .qcow, .qed, .pif, .pdb, .pab, .ost, .ogg, .nvram, .ndf, .m2ts, .log, .hpp, .hdd, .groups, .flvv, .edb, .dit, .dat, .cmt, .bin, .aiff, .xlk, .wad, .tlg, .say, .sas7bdat, .qbm, .qbb, .ptx, .pfx, .pef, .pat, .oil, .odc, .nsh, .nsg, .nsf, .nsd, .mos, .indd, .iif, .fpx, .fff, .fdb, .dtd, .design, .ddd, .dcr, .dac, .cdx, .cdf, .blend, .bkp, .adp, .act, .xlr, .xlam, .xla, .wps, .tga, .pspimage, .pct, .pcd, .fxg, .flac, .eps, .dxb, .drw, .dot, .cpi, .cls, .cdr, .arw, .aac, .thm, .srt, .save, .safe, .pwm, .pages, .obj, .mlb, .mbx, .lit, .laccdb, .kwm, .idx, .html, .flf, .dxf, .dwg, .dds, .csv, .css, .config, .cfg, .cer, .asx, .aspx, .aoi, .accdb, .7zip, .xls, .wab, .rtf, .prf, .ppt, .oab, .msg, .mapimail, .jnt, .doc, .dbx, .contact, .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .wallet, .upk, .sav, .ltx, .litesql, .litemod, .lbf, .iwi, .forge, .das, .d3dbsp, .bsa, .bik, .asset, .apk, .gpg, .aes, .arc, .paq, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .nef, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .mdb, .sql, .sqlitedb, .sqlite3, .pst, .onetoc2, .asc, .lay6, .lay, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .dot, .max, .xml, .txt, .csv, .uot, .rtf, .pdf, .xls, .ppt, .stw, .sxw, .ott, .odt, .doc, .pem, .csr, .crt, .key

Those are around 400 different extensions. Encrypted files will have the .shit extension appended to the end of their name. The encryption algorithm that is claimed to be used by Locky is RSA-2048 with AES 128-bit ciphers.

This newest sample of Locky ransomware is highly likely to erase the Shadow Volume Copies on the Windows operating system via the following command:

→vssadmin.exe delete shadows /all /Quiet

Keep on reading to see how to remove the ransomware and to see what methods you can try to decrypt some of your file data.

Remove Locky Virus and Restore .shit Files

If your computer got infected with the Locky ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Locky Ransomware.

Berta Bilbao Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer. More Posts

Download (MAC) Malware Removal Tool See If Your System Has Been Affected by Malware. Please note that Disk Cleaner, Big Files Finder and Duplicates Scanner features are free to use. Antivirus, Privacy Scanner and Uninstaller features are paid. Read Combo Cleaner’s EULA and Privacy Policy

Download (MAC) Malware Removal Tool Get a free scanner to see if your MAC is infected. SpyHunter for MAC free remover allows you, subject to a 48-hour waiting period, one remediation and removal for results found. Read EULA and Privacy Policy