“Receipt_{UniqueNumber}.hta – this is the first e-mail attachment detected to cause infections with the notorious Locky virus. Locky ransomware has been via meny ransomware variants using the .odin, .zepto and .locky file extensions, but the latest variant of this virus uses the unique .shit file extension. これの最悪の部分は、ウイルスがファイル拡張子が示唆するほど下品であるということです. Anyone who has been infected with the .shit file extension virus variant of Locky, 身代金を支払ってこの記事の情報を読むべきではありません.
マルウェア除去ツールをダウンロードする, to See If Your System Has Been Affected By Locky Ransomware Virus and scan your system for .SHIT virus files
Locky Ransomware – Further Details
The malicious command and control servers of this variant of Locky ransomware are believed to infect people from various countries,好む:
- Saudi Arabia
- France
- Poland
- United Kingdom
- Germany
- Serbia
Here is List with some of the payload download sites of .shit file extension
だけでなく、この, but also the Locky ransomware virus has been further reported by the researcher operaions6 (Twitter: @_operations6) to be associated with the following command and control server hosts via a linuxsucks.php type of file on Port80:
- 185.102.136.77
- 91.200.14.124
- 109.234.35.215
- Bwcfinnt.work
As soon as the latest iteration of the Locky virus infects your computer, it may immediately change your wallpaper to a ransom note similar to Locky’s original ransom note in the picture below:
これが行われた後, the ransomware may delete the shadow volume copies executing the following command:
→vssadmin delete-shadows /forvolume={targeted drive, usually C:} /all /quiet
The /quiet mode of of the virus aims primarily to make it delete the backups and shadow copies (file history) from the affected computer in a very specific manner without the victim noticing it.
In addition to those, the new Locky virus may add registry value strings with the actual location of it’s malicious files in the computer. The actual location of the files may be:
- %アプリデータ%
- %地元%
- %ローミング%
- %SystemDrive%
To encrypt files, the Locky virus targets a specific pre-programmed list of file extensions, which is associated with often used files like videos, 音楽, ピクチャー, Microsoft Office and Adobe reader type of files. The extensions of those files may be as follows:
→.doc, .docm, .ログ, .pap, .info, .gdoc, .asp, .jsp, .json, .xhtml, .txt, .xls, .xlsx, .xml, .docx, .html, .js, .mdb, .odt, .asc, .conf, .msg, .rtf, .cfg, .cnf, .pdf, .php, .ppt, .pptx, .sql
The files that have been encrypted by the new Locky ransomware may added it’s distinctive .shit file extension typical for it’s variant and may look as follows:
Locky Ransomware .Shit Variant – どのように私は感染しましたか
The virus is being spread primarily via an .hta file that pretends to be a receipt, 例えば:
→ Receipt_2414_241412.hta
This malicious file does not have a high detection rate on VirusTotal suggesting it has the potential to cause immense damage.
The malicious .hta file may be spread via several different e-mail subjects, lying to users that they have purchased something from websites like eBay or Amazon and this is their receipt.
Once the file has been opened it infects the compromised computer and downloads undetected the malicious payload of the new Locky virus. To do this it may connect to the following reported remote hosts from which infections were downloaded:
→www.rawahyl(.)com/076wc
Nanrangy(.)net/076wc
Ledenergythai(.)com/076wc
Sowkinah(.)com/076wc
Cynosurejobs(.)net/076wc
3ainstrument(.)com/076wc
Grupoecointerpreis(.)com/076wc
Wamasoftware(.)com/076wc
Locky .Shit Ransowmare Variant – Conclusion, Removal and File Restoration
The bottom line is that Locky ransomware’s creators were back after a significant drop of ransomware infections by this virus. Their new virus adds a unique “.shit” file extension to the encrypted files which are no longer openable. The virus is believed to use an advanced AES encryption algorithm to scramble the code of the files and to have many added evasive techniques to it.
だけでなく、この, しかし、ランサムウェアはまた、より高い身代金の支払いを要求すると考えられています, 犠牲者からのビットコインのような暗号通貨である可能性が最も高い. In case you have been infected by this .shit variant of Locky ransomware, このウイルスをすぐに削除することを強くお勧めします. 手動での取り外しはあなたのために仕事をしないかもしれないので, このウイルスの豊富な経験がない限り, 暗号化されたファイルにさらに損傷を与えることなく削除できる高度なマルウェア対策ツールを使用して、自動的に削除することをお勧めします.
残念ながら、現時点ではあなたを助ける復号化はありません, ウイルスが新しいという事実のために. しかしながら, ファイルをIDランサムウェアにアップロードして、研究者が遅かれ早かれ無料の復号化ツールを思い付くのを待つことをお勧めします。. また、データ復旧ソフトウェアを試してみることもできます, but DO NOT delete the encrypted files or reinstall Windows because you may need them if a free decryptor is released by malware researchers. For more news about decryptors check Kaspersky and EmsiSoft as well as Trend Micro.
マルウェア除去ツールをダウンロードする, to See If Your System Has Been Affected By Locky Ransomware Virus and scan your system for .SHIT virus files