OCTOBER 25,2016

To further show how ransomware is such a pile of crap, a new version of Locky has been released that appends the .shit extension on encrypted files. Like previous variants, this ransomware is installed using a DLL that is executed by Rundll32.exe. Once executed, it will encrypt targeted file types and append the .shit extension to the name of encrypted files.

rundll32 properties

                                                                                 Rundll32.exe executing Locky

This variant is currently being distributed through SPAM emails with a subject line of Receipt ###-###. According to MalwareHunterTeam, the attachments in the Locky SPAM emails will contain attachments that are HTA, JS, or WSF files that when executed will download an encrypted DLL installer, decrypt it on the victim's computer, and then execute it as seen in the image above.

Once the ransomware is executed, it will target over 380 file extension and encrypt them using AES encryption.

encrypted files

                                                                                      Encrypted Files

The targeted extensions are:

encrypt1 html

When it has finished encrypting a computer it will display ransom notes with payment instructions. These ransom notes have new names with this version and are named _WHAT_is.html, _[2_digit_number]_WHAT_is.html, and _WHAT_is.bmp.

ransom note


This configuration for this version as shown by LockyDump is: 

locky dump

Unfortunately, like previous versions this variant cannot be decrypted for free.

News Courtesy