Remove Thor Ransomware

I wrote this article to help you remove Thor Ransomware. This Thor Ransomware removal guide works for all Windows versions.

Thor file extension ransomware is the latest modification of Locky. It was first spotted two days ago, only a day after the previous update was caught on the radar. The developers of the win-locker change codes, extensions and hosts on a regular basis to prevent anti-virus tools from detecting it. Their hard work has paid off. Locky was recently named the most dangerous ransomware program of 2016. The win-locker has been wreaking havoc throughout the year, infecting computers from across the globe. According to reports, 97% of all infectious spam emails contain Locky. We advise computer users to keep their guard up at all times. This article aims to explain and outline the dangers and specifications around Thor file extension ransomware. We have included tips to help you keep your system safe.

Thor file extension ransomware follows the same patterns as the previous versions of Locky. Upon penetrating your system, it will start encrypting your private files. The win-locker targets documents, archives, images, audios, videos, databases and other file types. Thor file extension ransomware uses RSA-2048 and AES-128 encryption technologies. The RSA cipher creates a public key for encrypting vulnerable files. The AES algorithm generates a private decryption key, unique for each instance of infection. The names of the encrypted files are changed, using the following scheme: [8 hexadecimal characters]-[4 hexadecimal characters]-[4 hexadecimal characters]-[4 hexadecimal characters]-[12 hexadecimal characters]. The .thor suffix is appended as the file extension.

The clandestine program creates a ransom note to inform the victim of his predicament and state the demands of the cyber criminals. The note is titled _[random numbers]_WHAT_is.txt. A copy of it is dropped on the desktop and in every folder where encrypted files are located. A second ransom note is spread in parallel to provide further instructions on the payment process. This file is named _[random numbers]_WHAT_is.html. It is placed in every affected folder. The first message you will see is the custom wallpaper of Thor file extension ransomware. The image is called _WHAT_is.bmp. It gets set as the desktop background.

The Thor Ransomware
The Thor Ransomware

The developers of Locky are keeping the ransom at a reasonable level, to use the term loosely. Users are required to pay 0.5 bitcoins for the decryption. This amounts to $340.55 USD, according to the current exchange rate. Paying a few hundred dollars to view your own files may be quite a stretch, but it is still less than the ransoms other win-lockers ask for. To complete the transaction, you have to use the Tor browser. There are links to payment pages in the ransom note. The Tor project was created for security reasons. It protects users’ privacy when browsing the web. Unfortunately, cyber criminals can also take advantage of this program. They use it to keep their IP address and their physical coordinates from being detected. The bitcoin cryptocurrency has a similar purpose. Transactions, made in bitcoins, cannot be traced.

Thor file extension ransomware threatens people to permanently damage their files, if they refuse to meet the demands. The malignant program claims that the only way to have your data restored is with the decryptor. It warns people that attempting to uninstall Locky would result in their files becoming impossible to unlock. You should not allow the virus to intimidate you. Taking actions against it would not have consequences. Keep in mind that paying the ransom is a risky move. Ransomware infections are notorious for not making good on their part of the deal. Your files could remain encrypted.

Thor file extension ransomware is distributed like its predecessors. The propagation vector of choice for Locky is spam emailing. To make the scheme less evident, the furtive program frequently changes the host type and the letter content. Thor file extension ransomware is spread through spam messages which talk about a budget forecast. This is the subject of the email. The spammer states that the file is sent per request of another person. There is a .zip folder attached to the letter. It is titled budget_xls_[7 hexadecimal characters].zip. Inside, you will find a file with a similar name: budget [7 hexadecimal characters] xls.vbs. The random combination of symbols is different for the archive and the contained file. Opening the contents of the .zip archive would download a malicious .dll file which prompts the download and install of Thor file extension ransomware.

We advise you to handle your messages with the utmost caution. Make sure an email comes from a reliable sender before accessing files from it. To proof the reliability of a given letter, check the sender’s email address. If he is writing on behalf of a certain company or entity, visit its official website for references.

Thor Ransomware Uninstall

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Thor Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link:
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Thor Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.