To further show how ransomware is such a pile of crap, a new version of Locky has been released that appends the .shit extension on encrypted files. Like previous variants, this ransomware is installed using a DLL that is executed by Rundll32.exe. Once executed, it will encrypt targeted file types and append the .shit extension to the name of encrypted files.
Rundll32.exe executing Locky
This variant is currently being distributed through SPAM emails with a subject line of Receipt ###-###. According to MalwareHunterTeam, the attachments in the Locky SPAM emails will contain attachments that are HTA, JS, or WSF files that when executed will download an encrypted DLL installer, decrypt it on the victim's computer, and then execute it as seen in the image above.
Once the ransomware is executed, it will target over 380 file extension and encrypt them using AES encryption.
The targeted extensions are:
When it has finished encrypting a computer it will display ransom notes with payment instructions. These ransom notes have new names with this version and are named _WHAT_is.html, _[2_digit_number]_WHAT_is.html, and _WHAT_is.bmp.
This configuration for this version as shown by LockyDump is:
Unfortunately, like previous versions this variant cannot be decrypted for free.