I wrote this article to help you remove Shit Extension Ransomware. This Shit Extension Ransomware removal guide works for all Windows versions.

Shit extension ransomware is one of the many faces of Locky. This cryptovirus holds the top spot for computer infections in 2016 thus far. The developers frequently modify the rogue program to prevent anti-virus software from detecting it. We are dedicating this article to one of the latest reincarnations, known as Shit extension ransomware. This variant is widely spread in the following countries: United Kingdom, Germany, France, Poland, Serbia and Saudi Arabia. Upon entry, Shit extension ransomware locks the private files on the computer and asks for a payment to decrypt them. If you have contacted this win-locker, you should not meet its demands. There is no guarantee that paying the ransom would put an end to the attack.

Detecting and identifying Shit extension ransomware is easy. The insidious program needs the user to know that it is there. The point is to make him pay the ransom. The win-locker announces its presence and introduces itself. It explains that your private files have been rendered inaccessible. This includes your documents, graphics, audios, videos, databases, archives, spreadsheets, presentations and others. The .shit file extension is assigned to the infected items. In order to have them decrypted, you will be asked to pay a ransom. The cyber criminals threaten users that refusing to pay or trying to remove the virus would result in their data remaining permanently encrypted. Many win-lockers make threats and statements. These are just intimidation tactics which do not have merit to them.

Shit extension ransomware encrypts files using a combination of RSA-2048 and AES-128 ciphers. A code scheme of two cryptosystems builds a resilient algorithm. The success of Locky is partly due to the double coding pattern. Another reason for the high success rate of the win-locker is that its owners are not greedy. They do not ask for a lot to provide the decryption key. Shit extension ransomware has set a ransom of 0.5 bitcoins. This is the standard ransom for most versions of Locky. According to the current exchange rate, this sum converts to $325.62 USD.

The shady program creates a ransom note, titled _[random numbers]_WHAT_is.txt, to notify the user of his predicament and list its demands. The win-locker drops a copy of the ransom note in all folders which contain encrypted files. An additional note, called _[random numbers]_WHAT_is.html, is also duplicated and spread throughout the folders. Shit extension ransomware sets the desktop background to a custom wallpaper, named _WHAT_is.bmp. The graphic gives a summary of the ransom message. The redemption fee has to be paid through the Tor browser. This is another measure the developers of the win-locker have taken. The bitcoin cryptocurrency and the Tor web browser assure the anonymity of the parties, involved in the transaction. There are alternative ways to restore your files. You do not need to pay the cyber criminals. Pay no attention to their threats.

It would be best to avoid contacting Shit extension ransomware in the first place. Even if it is already too late for evasion, enforcing measures is never too late. Catching the virus once will not make your system immune to it afterwards. Besides, there are many other dangerous programs you could contact in the same way. Shit extension ransomware is distributed via spam emails, like all versions of Locky. The spam emails, spreading the win-locker, have gone through changes with each variant. The carrier file and the format of the letter are switched to make them unrecognizable.

As always, we will spread the word about the latest method. The host is always an attachment. With Shit extension ransomware, you need to look out for a .dll file. It will be contained inside a .zip folder. The sender can present the attachment as a receipt, an invoice or a document regarding a debt. Accessing the infected file is all it takes to trigger the download and install of Shit extension ransomware. To filter spam from legitimate messages, check the contacts. If he is writing on behalf of a certain company or entity, he should have used an official email account.

Shit Extension Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Shit Extension Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
2. Install ShadowExplorer
3. Open ShadowExplorer and select C: drive on the left panel
4. Choose at least a month ago date from the date field
5. Navigate to the folder with encrypted files
6. Right-click on the encrypted file
7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

1. Go to Start –> All programs –> Accessories –> System tools –> System restore
2. Click “Next“
3. Choose a restore point, at least a month ago
4. Click “Next“
5. Choose Disk C: (should be selected by default)
6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Shit Extension Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

1. Recuva
2. Puran File Recovery
3. Disk Drill
4. Glary Undelete