What is Shit ransomware and how to remove it


Is ransomware really dangerous?

Ransomware is the most dangerous group of viruses on the Internet. Some viruses are almost harmless, some - may cause harm if they’ll fall in certain conditions, but ransomware always harms the user’s PC, even if he deletes it immediately after penetration. If you take only ransomware affecting the PC, it can be divided into two basic types:

  • Monitor-lockers. This type of ransomware enters the user's computer, and with a simple script puts a message to ransom over all the shortcuts on the desktop. The user can not get access to his programs and to the "Start" menu, and forced to pay for the removal of the lock. In most cases, to cope with such a program, the user only has to restart the computer, run it in safe mode and remove the virus files.
  • Encrypting ransomware is considered the most dangerous type of viruses, one of those that spread via the Internet. These viruses encrypt all data stored on the user's computer, and require the payment of a ransom for their decryption. The main difficulty lies in the fact that even if you remove a virus from your computer, the files will still be encrypted, and you will have to deal with it somehow.

What is Shit (Locky) ransomware

Locky ransomware is considered one of the most dangerous viruses, along with Serber, CryptoWall, Chainsaw and others. Apparently, the hackers who created this virus, are going to work on this virus for a very long time, so they are acting very smart, and make their job very diligently. New versions of Locky ransomware are regularly appearing on the Internet, and so far none of them has been deciphered. The last two versions were called Zepto and Odin, and assigned the similar file extensions to the encrypted files. Now hackers have decided not to do a full update, but only change the extension for encrypted files. Moreover, some processes and methods also have been changed.

Usually, when hackers try to change their product to hinder its detection by antivirus programs, they change its name, and other small items, such as ransom notes or payment site addresses. In the case of Shit, the penetration method, the expansion of encrypted files and some other minor options have been changed. Now the virus assigns an encrypted file extension .shit. The amount of redemption is now 0,5 BTC (about $ 320). Perhaps such a rapid release of a new update is due to the fact that the latest version of Locky, called Odin, demanded a ransom of $ 3 BTC (more than $ 1850), and the number of users who paid the ransom dropped significantly. In addition, the hackers decided to use several methods of infiltration. This is not about traditional sources of threats, such as infected e-mails or malicious Web sites. Current version of the virus can enter the user's computer as a whole, in the form of executable file, or a script which penetrates and initiates the download of virus from one of the C&C servers. Instructions for payment have their original form, which has not changed since the first version of Locky. They are called _WHAT_is.html, _ [2_digit_number] _WHAT_is.html, and _WHAT_is.bmp, and are placed on the user's desktop, in addition to a large copy of the message that is the desktop wallpaper. Furthermore, the copy of this message is putted to each folder containing encrypted files. List of the targeted file extensions remain unchanged. Here it is:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

How Locky (.shit) virus works

As we said earlier, the main problem with encrypting ransomware in general and with Locky in particular is that the changes made by ransomware can’t be undone. So, ransomware is aimed to perform all processes in fastest and stealthiest way, before user realizes that something is wrong. After penetrating the computer and install, Locky immediately begins to encrypt files. The process of encryption is disguised as one of the system processes, or uses a process "rundll32.exe" to run a malicious program. Sometimes it is obvious that in the process manager there are simultaneously two identical system processes, consuming a different amount of resources. Most likely, one of them is malware. If you have noticed that Locky is running on your computer - you can do one thing. Restart your computer, start it in safe mode and remove the virus, in accordance with the instructions on this page. Then you will save the part of the files which has not yet been encrypted. If you received the ransom mesage, it means that all files are already encrypted.

How to remove Locky (.shit) ransomware

Removing shit from computer is not a difficult task. To remove the virus, you can simply use the provided instructions, or use a decent anti-virus program. Remember that removing the virus does not change the state of the encrypted files. By removing the virus, you only provide security to other files, that will be downloaded to your PC. In addition, if you remove the virus, you will not be able to recover files via hacker’s website and the payment of ransom. Please, follow these instructions to remove Locky virus.

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Special Offer

Antivirus scanner

Why we recommend SpyHunter antimalware

Detects most kind of virus: malicious files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects virus on the computer, you will need to purchase malware removal tool for $39,99 to delete viruses. SpyHunter has Free Trial for one remediation and removal, subject to a 48-hour waiting period. Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

The decryption of files

Currently it’s impossible to decrypt files, encrypted by Locky ransomware. The virus is able to delete the shadow copies folder, so that the use of conventional programs for the recovery becomes impossible. The virus was created by highly skilled developers, so malware fighters yet haven’t found any flaw in the code, to break it and get the encryption keys. Decryption by simple brute force is also impossible. Locky uses AES-256 and RSA encryption and decryption of files will need hundreds, if not thousands of years. The only way to protect yourself from ransomware is to back up the system, or selected files. If you regularly make backups and store them on an external hard drive that wasn’t connected to the computer at the time of infection, it will be enough to remove the virus and download the backup. If you have no backups, and you need your files immediately, then you certainly can try to pay a ransom, but we strongly advise you not to do so, because the probability of losing money is extremely high. So far, the most sensible course would be simply removing the virus, waiting for news from leading malware fighters and antiviral software vendors on the development of decryptor.

Add comment

Security code

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.