{"id":957,"date":"2016-10-25T20:46:52","date_gmt":"2016-10-25T20:46:52","guid":{"rendered":"https:\/\/myspybot.com\/?p=957"},"modified":"2025-11-30T11:53:25","modified_gmt":"2025-11-30T11:53:25","slug":"thor-virus-files","status":"publish","type":"post","link":"https:\/\/myspybot.com\/thor-virus-files\/","title":{"rendered":"Thor virus: how to decrypt .thor files ramsomware"},"content":{"rendered":"
This guide provides the low-down on the newest Locky variant called Thor ransomware and advises on workarounds to decrypt files with the .thor extension.<\/blockquote>\n

Yesterday\u2019s edition of Locky ransomware<\/a> that appended the .shit suffix<\/a> to one\u2019s files didn\u2019t last. The unexpected news that hit the headlines literally hours later is that a new heir to the vicious throne has been discovered. The successor concatenates the .thor extension instead and renames files to a balderdash of numbers and characters. It goes without saying that a victim\u2019s valuable files also get encrypted, not just renamed. Ultimately, an infected user will be confronted with a change of a random document to something like SU8DRICBA-EG3N-Y5GZ-00BA-A085959612E7.thor<\/strong>. Of course, there exists no regular software that will be able to open this entry. No one but Locky authors have the private decryption key that can revive the skewed information, but they won\u2019t provide it for free.<\/p>\n

\"Thor<\/a>
Thor ransomware effects<\/figcaption><\/figure>\n

According to ransom notes called _WHAT_is.html<\/strong>, _[random number]_WHAT_is.html<\/strong>, and _WHAT_is.bmp<\/strong>, the user needs to visit their personal page to purchase the decryption service. The Thor ransomware reiterates the same recommendations in a new desktop background that replaces the original one automatically. The warning claims that all of the victim\u2019s files are encrypted with RSA-2048 and AES-128<\/a>, two extremely strong cryptosystems that are virtually uncrackable if implemented correctly. The bad news for all those infected is that Locky developers are tech-savvy enough to perform the encryption part of their breach flawlessly.<\/p>\n

The whole interaction chain with the cybercrooks takes place in the following way: first, the user is supposed to open one of the above-mentioned _WHAT_is.html\/.bmp<\/strong> help files. Locating them is a no-brainer as the ransomware adds them to the desktop and all folders that contain at least one encrypted item. The ransom manual has several, usually two, hyperlinks in it that resolve to the Locky Decryptor Page<\/strong>. A noteworthy nuance is that this page is only accessible with the anonymity-oriented Tor Browser. The resource in question informs the victim about the size of the ransom, which is typically 0.5 BTC ($327), as well as the Bitcoin address to submit it. After the extortionists verify and approve the transaction, they promise to make the automatic decryptor available. There is no certainty that the threat actors will be true to their word, though.<\/p>\n

Because there are no weak links in the actual crypto, the .thor extension virus can have a disastrous effect. Under the circumstances, taking efforts to avoid this ransomware is a strongly recommended route. The infection proliferates over phishing, where users receive fake budget forecasts, receipts or invoices. The ZIP archive attached to one of these tricky messages will extract to a .vbs file that furtively downloads a DLL installer of Thor. That being said, it\u2019s a very bad idea to open email attachments like that. Also, performing regular data backups should become everyone\u2019s habit these days. If this variant of Locky has already done its dirty job, start with a few forensic techniques that may be helpful for restoring .thor files.<\/p>\n<\/span>\r\n

<\/div>\r\n\r\n

Thor ransomware automated removal and data recovery<\/h2>\r\n\r\n

When faced with ransomware like Thor, one of the best shortcuts in terms of removal is to use Combo Cleaner, a lightweight and incredibly effective application with PC security and optimization features under the hood. It detects and thoroughly deletes threats while giving you insights into the overall health of your computer.<\/p>\r\n

This program\u2019s protection power spans modules that forestall all known types of malware, including ransomware and browser hijackers, and take your online security to the next level by blocking phishing sites and other suspicious web pages. Follow these simple steps to eliminate the infection for good:<\/p>\r\n

1<\/strong>. Download<\/strong> Combo Cleaner installer.<\/p>\r\n

<\/span>Download Thor remover<\/a><\/span><\/p>\r\n

Combo Cleaner scans your PC with no strings attached, but you\u2019ll have to buy its fully functional version to remove the threats it detects. The disk optimization tools that find large files and duplicates are free to use.<\/sup><\/p>\r\n

\"Download<\/p>\r\n

2<\/strong>. Open the CCSetup.exe file to get started. Several subsequent screens will allow you to make initial customizations so that the program works exactly as you need from the get-go.\"Setup<\/p>\r\n

3<\/strong>. The installation will be followed by an update of malware signatures. Once this process is through, click the Start Scan<\/strong> button in the left-hand sidebar.\"Start<\/p>\r\n

4<\/strong>. Combo Cleaner will then check system locations that are most often polluted by Windows malware. The first scan can take a while to finish.\"Combo<\/p>\r\n

5<\/strong>. Combo Cleaner will display a system tray notification as soon as the scan is over. Click the Resolve found threats<\/strong> button to view the results.\"Scan<\/p>\r\n

6<\/strong>. The scan summary shows the names and types of the detected threats as well as their statuses and locations. Click the Remove all threats<\/strong> button and follow further on-screen prompts to get rid of these items.\"Scan<\/p>\r\n

Data recovery toolkit to the rescue<\/strong><\/p>\r\n

Some strains of ransomware are known to delete the original files after the encryption routine has been completed. As hostile as this activity appears, it can play into your hands. There are applications designed to revive the information that was obliterated because of malfunctioning hardware or due to accidental removal. The tool called Stellar Data Recovery features this type of a capability and therefore it can be applied in ransom attack scenarios to at least get the most important files back. So use the app to get an idea of what data can be restored and let it do the recovery job. Here is a step-by-step walkthrough:<\/p>\r\n

1<\/strong>. Download and install Stellar Data Recovery<\/a>.<\/p>\r\n

<\/span>Download Stellar Data Recovery<\/a><\/span><\/p>\r\n

2<\/strong>. Open the application, select the types of recoverable files to look for, and click Next<\/strong>.\"Stellar<\/p>\r\n

3<\/strong>. Choose the areas you want the tool to recover from and click the Scan<\/strong> button.\"Select<\/p>\r\n

4<\/strong>. Having scanned the specified locations, the program will display a notification about the total amount of recoverable data. Close the dialog and click the Recover button. This will hopefully help you get some of your valuable files back.\"Recover<\/p>\r\n<\/span>

<\/div>\r\n

Thor ransomware manual removal and file recovery<\/h2>\r\n\r\n

Some ransomware strains terminate themselves after completing the encryption job on a computer, but some don\u2019t. Furthermore, the Thor virus may prevent victims from using popular antimalware tools in order to stay on board for as long as possible. Under the circumstances, it may be necessary to utilize the Safe Mode with Networking or System Restore functionality.<\/p>\r\n

\r\n

<\/span>Remove Thor ransomware using Safe Mode with Networking<\/span><\/h4>\r\n

<\/span>Remove Thor ransomware using Safe Mode with Networking<\/span><\/h4>\r\n
\r\n

Boot into Safe Mode with Networking. The method to do it depends on the version of the infected operating system. Follow the instructions below for your OS build.<\/p>\r\n