What Is _WHAT_is.html? Remove .shit Files Virus (New Locky)

By   ISBuzz Team
Writer , Information Security Buzz | Oct 25, 2016 11:12 pm PST
Encrypted files with the .shit file extension is what the newest iteration of the Locky ransomware menace is setting once it infects your computer. After this, the ransomware drops a _WHAT_is.html and _WHAT_is.bmp files to further notify users that their files have been encoded. Similar to the previous variants of Locky ransomware, this one also uses RSA-2048 as well as AES-128 encryption algorithms to encipher files of users. In case you have been infected by the latest Locky ransomware variant, it is strongly advisable to remove the threat with an advanced anti-malware tool and only then to look for alternative ways to restore your files.

Locky .shit File Extension Ransomware In Detail

After the .shit variant of Locky attacks your files, it immediately begins encrypting them. This variant is pre-programmed to hunt for a wide variety of file types:

[su_panel background=”#fdf8c7″]

.yuv,.ycbcra,.xis,.wpd,.tex,.sxg,.stx,.srw,.srf,.sqlitedb,.sqlite3,.sqlite,.sdf,.sda,

.s3db,.rwz,.rwl,.rdb,.rat,.raf,.qby,.qbx,.qbw,.qbr,.qba,.psafe3,.plc,.plus_muhd,

.pdd,.oth,.orf,.odm,.odf,.nyf,.nxl,.nwb,.nrw,.nop,.nef,.ndd,.myd,.mrw,.moneywell,

.mny,.mmw,.mfw,.mef,.mdc,.lua,.kpdx,.kdc,.kdbx,.jpe,.incpas,.iiq,.ibz,.ibank,.hbk,

.gry,.grey,.gray,.fhd,.ffd,.exf,.erf,.erbsql,.eml,.dxg,.drf,.dng,.dgc,.des,.der,.ddrw,.ddoc,

.dcs,.db_journal,.csl,.csh,.crw,.craw,.cib,.cdrw,.cdr6,.cdr5,.cdr4,.cdr3,.bpw,.bgt,.bdb,

.bay,.bank,.backupdb,.backup,.back,.awg,.apj,.ait,.agdl,.ads,.adb,.acr,.ach,.accdt,.accdr,

.accde,.vmxf,.vmsd,.vhdx,.vhd,.vbox,.stm,.rvt,.qcow,.qed,.pif,.pdb,.pab,.ost,.ogg,.nvram,

.ndf,.m2ts,.log,.hpp,.hdd,.groups,.flvv,.edb,.dit,.dat,.cmt,.bin,.aiff,.xlk,.wad,.tlg,.say,

.sas7bdat,.qbm,.qbb,.ptx,.pfx,.pef,.pat,.oil,.odc,.nsh,.nsg,.nsf,.nsd,.mos,.indd,.iif,.fpx,

.fff,.fdb,.dtd,.design,.ddd,.dcr,.dac,.cdx,.cdf,.blend,.bkp,.adp,.act,.xlr,.xlam,.xla,.wps,

.tga,.pspimage,.pct,.pcd,.fxg,.flac,.eps,.dxb,.drw,.dot,.cpi,.cls,.cdr,.arw,.aac,.thm,

.srt,.save,.safe,.pwm,.pages,.obj,.mlb,.mbx,.lit,.laccdb,.kwm,.idx,.html,.flf,.dxf,.dwg

,.dds,.csv,.css,.config,.cfg,.cer,.asx,.aspx,.aoi,.accdb,.7zip,.xls,.wab,.rtf,.prf,.ppt,.oab,

.msg,.mapimail,.jnt,.doc,.dbx,.contact,.mid,.wma,.flv,.mkv,.mov,.avi,.asf,.mpeg,.vob,

.mpg,.wmv,.fla,.swf,.wav,.qcow2,.vdi,.vmdk,.vmx,.wallet,.upk,.sav,.ltx,.litesql,.litemod,

.lbf,.iwi,.forge,.das,.d3dbsp,.bsa,.bik,.asset,.apk,.gpg,.aes,.ARC,.PAQ,.tar.bz2,.tbk,.bak,

.tar,.tgz,.rar,.zip,.djv,.djvu,.svg,.bmp,.png,.gif,.raw,.cgm,.jpeg,.jpg,.tif,.tiff,.NEF,.psd,.

cmd,.bat,.class,.jar,.java,.asp,.brd,.sch,.dch,.dip,.vbs,.asm,.pas,.cpp,.php,.ldf,.mdf,.ibd,

.MYI,.MYD,.frm,.odb,.dbf,.mdb,.sql,.SQLITEDB,.SQLITE3,.pst,.onetoc2,.asc,.lay6,.lay,

.ms11,.sldm,.sldx,.ppsm,.ppsx,.ppam,.docb,.mml,.sxm,.otg,.odg,.uop,.potx,.potm,.pptx,

.pptm,.std,.sxd,.pot,.pps,.sti,.sxi,.otp,.odp,.wks,.xltx,.xltm,.xlsx,.xlsm,.xlsb,.slk,.xlw,.xlt,

.xlm,.xlc,.dif,.stc,.sxc,.ots,.ods,.hwp,.dotm,.dotx,.docm,.docx,.DOT,.max,.xml,.txt,.CSV,

.uot,.RTF,.pdf,.XLS,.PPT,.stw,.sxw,.ott,.odt,.DOC,.pem,.csr,.crt,.key

[/su_panel]

Once encrypted, the files receive 2 alterations – the virus changes their names and file extensions and the encrypted files can no longer be recognized, for example:

B91242314C1-D21B-232F-AC3AA-CBC223C.shit

The newest Locky virus also performs other activities to notify users who have been infected. It drops two type of files – an .html and .bmp file, named “_WHAT_is”.

The _WHAT_is.html contains the following ransom message to notify victims:

“!!! IMPORTANT INFORMATION !!!!

All of your files are encrypted with RSA-2048 and AES-128 algorithms.

More information about the RSA and AES can be found here:

http://en.wikipedia.org/wiki/RSA_(cryptosystem)

http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.

To receive your private key follow one of the links:

{custom TOR links that lead to the payment page}

If all of this addresses are not available, follow these steps:

  1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
  2. After a successful installation, run the browser and wait for initialization.
  3. Type in the address bar: {custom TOR link}
  4. Follow the instructions on the site.”

These instructions then lead the infected user to a Tor-based page where s/he must enter a unique identification number or the name of an encrypted file to login:

After that, the virus leads the victim to a custom Tor-based payment page typical for Locky ransomware since it sells Locky Decryptor:

Users are left with nothing but to pay the ransom because the files are no longer openable due to the 2 very strong ciphers the .shit virus uses. The first cipher aims primarily to encrypt the files themselves. This is believed to be the AES – 128-bit encryption algorithm.  The virus then may generate a unique AES decryption key and encrypt the file further with the strongest stable RSA cipher with RSA-2048 bit in strength. After this, the files become no longer openable, unless they are being decrypted using the unique decryption software held by the cyber-criminals.

How Does Locky Spread and Infect?

The .shit variant of Locky ransomware uses a very specific method to spread. This method is believed to be spam e-mails using either .wsf (malicious javascript) or .hta (malicious HTML) files that aim to cause the infection. The files usually aim to resemble legitimate files such as Adobe Reader .pdf files or Microsoft Office types of documents and most users see them in the following forms, for example:

  • Receipt_12847182_12481.hta
  • Receipt_12847182_12481.wsf

The message accompanying the files may be different depending on the targeted users. They may resemble a fake purchase that has been done under the user’s name from an online retailer store like PayPal, eBay or other similar websites. Some spam mails may even pretend to come from institutions like banks and governments. The truth is that the spam campaign distributing Locky’s latest variant using the .shit file extension is so massive( https://twitter.com/malwrhunterteam/status/790563218389340162/photo/1 ) that the payment website itself features almost all default Windows system languages in it.

Once this virus has already caused an infection, it immediately begins to download the payload of Locky ransomware which is a malicious .dll file that begins to encrypt files. The payload is downloaded from many different hosts. The main command and control servers associated with the .shit ransomware variant of Locky are reported to be the following:

  • 185.102.13677:80/linuxsucks.php
  • 91.200.14124:80/linuxsucks.php
  • 109.234.35215:80/linuxsucks.php
  • bwcfinntwork:80/linuxsucks.php

Dealing With the “.shit” Ransomware

If you are a victim of this massively spread virus, there are several options for you. One is to pay ransom which is not advisable because there may be a decryptor released soon for free if malware researchers crack the virus. In addition, besides providing financial assistance to criminals which will allow them to further spread their malware, you also have no guarantee your files will be decrypted by them.

Your other option is to remove the malware yourself manually or automatically with the proper software for that and backup the encrypted files for later days to come. There are also alternative variants to recover your files using::

  • Data recovery software.
  • Network sniffer during infection to capture packets.
  • Python scripts in Ubuntu or other Linux OS to attempt and factorize the unique RSA key and try to scrape up a decryptor based on that, but you will need a lot of coding skills and experience and still there is no guarantee.

Whatever the case may be, security experts strongly advise against paying the cyber criminals as this only encourages them to spread  their .shit file extension virus even more.

[su_box title=”About Vencislav Krustev” style=”noise” box_color=”#336588″][short_info id=’93873′ desc=”true” all=”false”][/su_box]

Recent Posts