.THOR file virus ransomware decryptor and removal

by

The .thor extension denotes files encrypted by a new variant of Locky ransomware, which now creates _WHAT_is.html/.bmp ransom notes and demands 0.5 Bitcoins.

What is .THOR file virus?

The nuts and bolts of the illegal ransomware business is to distribute a Trojan that encrypts one’s personal data and then demand cryptocurrency for decryption. There are numerous families of these infections prowling the Internet. The Locky breed is currently somewhere on the apex of the digital extortion food chain. It has spawned five different versions since February 2016. The one dubbed Thor is the latest iteration, having emerged in late October and rapidly picking up the pace over the last few days. This edition got its name from the .thor extension that it affixes to the targeted files. Like its antecedent, it also drastically changes filenames, that is, the values that precede the extensions. Ultimately, Thor will turn a victim’s regular document, image, video or database into something like SU7DRHCB-EG3N-Y5GZ-00F1-6E1D0931FA25.thor.

_WHAT_is.html ransom note and desktop wallpaper changed by Thor virus
_WHAT_is.html ransom note and desktop wallpaper changed by Thor virus

Recovery manuals tend to change with every new version of Locky. Its new sockpuppet creates several editions of the ransom notes, namely _WHAT_is.html, _WHAT_is.bmp, and _[random_number]_WHAT_is.html (e.g. _71_WHAT_is.html). The first two will appear on the desktop, and the one with a numeric value in its name is added to individual folders. The essentials of these instructions include the warning proper, according to which the user’s files are encrypted with RSA-2048 and AES-128 ciphers. Unfortunately, this is a truthful statement, therefore brute-forcing of the private keys is not a very realistic undertaking. Furthermore, the victim gets a couple of .tor2web.org and .onion.to links that resolve the Locky Decryptor page. Be advised these are only accessible via Tor Browser that ensures anonymization of online connections.

Locky Decryptor page with ransom payment tips
Locky Decryptor page with ransom payment tips

The aforementioned personal page is intended to streamline the process of paying the ransom. The bad guys leverage it to upsell a tool called the Locky Decryptor, where the price may vary but usually won’t exceed 0.5 Bitcoins. The use of digital cash is another anonymization component of the extortion routine that keeps the criminals from being tracked down and busted.

The circulation of the Thor ransomware in the wild is not as technically sophisticated as one might imagine. Rather than employ complex hacking techniques, the threat actors rely on social engineering and thus exploit human vulnerabilities, so to speak. It turns out, this vector has a high rate of successful malware installations. The spreading framework engages a massive phishing campaign. The targeted users receive legit-looking emails camouflaged as receipts, invoices, delivery reports and the like. Once a user double-clicks on the attached file, a covert VBS or JS script will download the Thor virus to the machine. The rest of the attack is mostly a matter of a series of obfuscated events that the victim isn’t likely to thwart. The Trojan scans the computer and the network for personal files, encrypts them and starts alerting the user via its ransom notes.

Although none of the Locky versions has been decryptable for free, and Thor is no exception, there is a glimmer of hope that users can get their files back. Use the self-help sections below to see if you can restore .thor files without paying up.

Automatic removal of the .thor virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the adware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button Download .THOR removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get .THOR automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.


Recover .thor files ciphered by the ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups

The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools

The research of .THOR virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies

The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

  • Previous Versions feature

    Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory. Previous Versions feature

  • Shadow Explorer applet

    It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed. Shadow Explorer


Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download .THOR scanner and remover

Related posts

  1. Remove Piesearch virus from Chrome, Firefox and IE
  2. Cerber3 ransomware removal: how to decrypt .cerber3 virus files
  3. Fantom ransomware removal: how to decrypt .fantom files virus
  4. Remove ODIN virus ransomware – decrypt .odin files

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.