The reason behind the odd extension name is not indicative of any particular motivation other than the creators had to name it something.
The reason behind the odd extension name is not indicative of any particular motivation other than the creators had to name it something.

After a two week break that saw few Locky ransomware attacks, the Cisco Talos research team discovered a new variety that sports a scatologically named extension for the encrypted files and another reference that insults Linux.

Talos researchers Warren Mercer and Edmund Brumaghin found the cybercriminals using a .sh** extension in the three distinct ransomware campaigns they spied using the new Locky variant. There were two other changes spotted in Locky:

  • URL path used to for C2 has changed to /linuxsucks.php
  • The file containing the ransom note is now named “_WHAT_is.html

The reason behind the odd extension name is not indicative of any particular motivation other than the creators had to name it something.

“They change the extension occasionally to avoid very simplistic detection techniques, combine that with immaturity and we end up with .sh** extensions,” Craig Williams, senior technical leader and global outreach manager at Cisco Talos, told SCMagazine.com in an email.

The three campaigns studied by Talos also included a few new twists.

The first, spotted on October 24, contained emails attempting to leverage malicious .HTA files as malware downloaders. The emails claim to contain a receipt with the file name “Receipt XXXXX-XXXXXX.hta”, an HTML executable file format, which is housed in a .ZIP attachment. When the .ZIP is opened the .HTA attachment downloads the Locky ransomware. Another odd, or perhaps simply seasonal, addition to this campaign is the inclusion of the word “pumpkin” as part of the obfuscation of the .HTA downloader. Talos found 37 separate incidents of the word being used.

The second campaign tracked by Talos used Javascript files as the downloader mechanism and replaced the receipt social engineering message in the subject line with “Complaint Letter.” along with a brief note explaining the attachment and to take a look. Again the downloader was contained in a .ZIP file, this time named “saved_letter_XXXXXXXXX.zip.”

A third, smaller campaign was also spotted using a WSF-based downloader that primarily targeted French-speaking victims with an email bill from a French television and media provider named Free demanding payment. Like the Javascript campaign, this one also features a short note asking for remittance saying the bill can be viewed in the attachment, which upon opening downloads Locky.

Williams said these changes do not make Locky any more effective per se, but are more of a regular tune-up to keep the ransomware useful and capable of evading poor detection techniques.