Vin Ransomware Blog02

The latest version of Crypto Locky Ransomware seems to be propagating treacherously. Once this ransomware infects the victim machine, the files are appended with ‘.ṣhit’ extension after encryption. The variant is primarily infected through email campaigns.

Avoid downloading mails with attachments and subjects as given below:

Attachment:

1.    Receipt<randomnumber>.zip
2.    saved_letter_<random number>.zip

Subject:

1.    Complaint Letter
2.    We could not deliver your parcel
3.    Receipt<randomnumber>
4.    Problem with parcel shipping
5.    Unable to deliver the item

An example for such email campaign is given below:

blog4 1

Once the attachment is downloaded and executed, it acts as a downloader. The attachment is delivered as an archive file format (ZIP). The attached file may contain Javascript (JS) files or Window Script files (WSF) or HTML application (HTA) files. Executing these files will download another malicious file, this will encrypts the files and it will append the files with ‘.shit’ extension.

This variant targets the file extension of about 380 file types and it uses AES cryptographic algorithm for encryption. The following are the targeted file extensions:

blog4 2

The file extensions are renamed as follows:

blog4 3

After ransomware encrypts all the files in the victim machine, it will show a ransom note file as ‘WHAT_is.html,<two digit number>_WHAT_is.html and _WHAT_is.bmp’.

The ransom note of this variant is as shown below:

blog4 4

Researchers have found [3] the next offline variant of Locky uses ‘.thor’ as their encrypted file extension as follows:

blog4 5

The following are the IOC (Indicator Of Compromise) available as SHA 256 hash values for this variant:

1.    C183a1cc8bea027427ecb7372d60e750bac83d78c922d85eed4c4d1aef940388
2.    0fae0d66d3df6cdf8ab777d2df6b7ddc07f917d3d89040947d48d3ef7271b699
3.    26a75a49db0bf2ef4587b0c6321945a45460d83bb8abb09a87c57bf278b78b0b
4.    b69a6af6196f44b7c8c2574694efaf52687c42ec7030cfb09676e880828ade58
5.    38c7b60acbcadca9985413977cb638692539ae92c2c8f1a121a6c51f62766843
6.    0fae0d66d3df6cdf8ab777d2df6b7ddc07f917d3d89040947d48d3ef7271b699

As there are developments on this ransomware, emerging information will be concurrently updated to the blog.

References

[1] http://blog.talosintel.com/2016/10/pumpkin-locky.html
[2] https://malwaretips.com/blogs/remove-locky-shit-ransomware/
[3] http://findtech.link/2016/10/25/locky-ransomware-switches-to-thor-extension-after-being-a-bad-malware/