Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


.thor Files Virus – Remove Locky’s Latest Strain

stf-locky-ransomware-virus-thor-thor-extension-ransom-note-html

A brand new strain of the Locky ransomware has been found overnight by malware researchers after the variant with the .shit extension had been discovered. The authors of the virus have decided to bring the Norse mythology theme back to their ransomware projects, as we see the .thor extension being appended to encrypted files. To see how to remove the virus and how you can try to restore your files, read the whole article.

Threat Summary

NameLocky
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts your data and then displays a ransom message with instructions for payment.
SymptomsEncrypted files will have the .thor extension appended to them.
Distribution MethodSpam Emails, Email Attachments (.wsf, .js, .hta, .zip, .vbs, .bin), Google Docs
Detection Tool See If Your System Has Been Affected by Locky

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Locky.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Locky Ransomware – Delivery

The latest malware strain of the Locky ransomware uses Command and Control servers as a delivery method. Spam emails with an empty body, contain attachments which deliver a downloader to your PC. From then on the downloader pieces together the ransomware and encrypts your data. The email attachments look like legitimate documents, while the sender’s name, address, and email might be spoofed off of real companies and their employee data. The attachments are script holders or downloaders, and the used file types are: .wsf, .js, .hta, .zip, .vbs and .bin ones.

Here is an example of one such file detected by Payload Security:

stf-locky-ransomware-virus-thor-extension-payload-security-command-and-control-servers-budget-xls-vbs-file-c2-linuxsucks-php

Locky ransomware might also be spread around social media networks and file-sharing sites. One platform reported for delivering the malicious files is Google Docs. Do not open links, attachments and files which are suspicious or with an unknown origin. Before opening files, make sure they are not any of the above listed file types, including .exe ones. In addition, always perform a scan with a security tool, check the files for their signatures and size. You should pay a visit to the topic about ransomware prevention tips written in our forum.

Locky Ransomware – Description

Locky ransomware uses a new extension on encrypted files and that is the .thor extension. It can be said that the authors of the cryptovirus turn back to its roots – that is, if the Norse mythology was in the mind of the cybercriminals. Most extensions used by the ransomware were named after Thor, Odin, and Loki, who are all Gods in Norse mythology. Though, the crooks might have had Marvel’s comics and movies portrayal of the Gods in mind. What is even more interesting – Heimdallr is also a Norse God (son of Odin) and Heimdal Security is named after him. Are the malware creators mocking Heimdal Security? Or Anti-malware programs in general?

The virus utilizes C2 (Command and Control) servers for the delivery of its payload files as described in the previous section. The files contain a malicious script that downloads a .dll file on your computer. Once run, your computer system becomes infected. You can check out some of the C2 servers, down here:

  • 185.102.136.77:80/linuxsucks.php
  • 91.200.14.124:80/linuxsucks.php
  • 91.226.92.225:80/linuxsucks.php
  • 77.123.14.137:221/linuxsucks.php
  • yptehqhsgdvwsxc.biz/linuxsucks.php
  • fvhnnhggmck.ru/linuxsucks.php
  • krtwpukq.su/linuxsucks.php
  • tdlqkewyjwakpru.ru/linuxsucks.php

Locky ransomware can be downloaded from numerous download locations, some of which are listed below.

List with payload download sites

After the .DLL file is executed, it will encrypt your files and display a ransom note. Copies of this note will be spread in directories with encrypted files with the name _WHAT_is. One is a .bmp file and the other is a .html one, where the image file will be set as your desktop background.

The ransom note of the virus is the same as the variant with the .shit extension:

stf-locky-ransomware-virus-shit-extension-ransom-screen-desktop

And when you load the _WHAT_is.html file, it will look like the following:

stf-locky-ransomware-virus-thor-thor-extension-ransom-note-html

The text reads the following:

!!! IMPORTANT INFORMATION !!!

All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
https://en.wikipedia.org/wiki/RSA_(cryptosystem)
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Decrypting of your files is only possible with the private key and decrypt program, All which is on our secret server.
To receive your private key follow one of the links:
1. http://jhomitevd2abj3fk.tor2web.org/5DYGW6MQXIPQSSBB
2. http://jhomitevd2abj3fk.onion.to/5DYGW6MQXIPQSSBB
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: jhomitevd2abj3fk.onion/5DYGW6MQXIPQSSBB
4. Follow the instructions on the site.
!!! Your personal identification ID: 5DYGW6MQXIPQSSBB !!!

The Locky virus virus to the service with payment instructions we have seen in past variants. The service can be accessed if you enter the name of an encrypted file (this is done to limit access to the service). You can see the site hidden on the TOR network in the picture below:

stf-locky-ransomware-virus-thor-extension-locky-decryptor-page-payment-instructions

The Locky ransomware has no variants that have been decrypted, and the code for this one is from the same authors. Previously infected users with an older variant of this virus have reported that they could not recover their data even after paying the ransom. So, no reason exists for you to contact the cybercriminals or think about paying. Evidently, the crooks will simply continue to make other ransomware viruses.

File types that are currently being encrypted by the Locky ransomware are over 400 in number and have the following extensions:

→txt, .pdf, .html, .rtf, .avi, .mov, .mp3, .mp4, .dwg, .psd, .svg, .indd, .cpp, .pas, .php, .java, .jpg, .jpeg, .bmp, .tiff, .png, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .yuv, .ycbcra, .xis, .wpd, .tex, .sxg, .stx, .srw, .srf, .sqlitedb, .sqlite3, .sqlite, .sdf, .sda, .s3db, .rwz, .rwl, .rdb, .rat, .raf, .qby, .qbx, .qbw, .qbr, .qba, .psafe3, .plc, .plus_muhd, .pdd, .oth, .orf, .odm, .odf, .nyf, .nxl, .nwb, .nrw, .nop, .nef, .ndd, .myd, .mrw, .moneywell, .mny, .mmw, .mfw, .mef, .mdc, .lua, .kpdx, .kdc, .kdbx, .jpe, .incpas, .iiq, .ibz, .ibank, .hbk, .gry, .grey, .gray, .fhd, .ffd, .exf, .erf, .erbsql, .eml, .dxg, .drf, .dng, .dgc, .des, .der, .ddrw, .ddoc, .dcs, .db_journal, .csl, .csh, .crw, .craw, .cib, .cdrw, .cdr6, .cdr5, .cdr4, .cdr3, .bpw, .bgt, .bdb, .bay, .bank, .backupdb, .backup, .back, .awg, .apj, .ait, .agdl, .ads, .adb, .acr, .ach, .accdt, .accdr, .accde, .vmxf, .vmsd, .vhdx, .vhd, .vbox, .stm, .rvt, .qcow, .qed, .pif, .pdb, .pab, .ost, .ogg, .nvram, .ndf, .m2ts, .log, .hpp, .hdd, .groups, .flvv, .edb, .dit, .dat, .cmt, .bin, .aiff, .xlk, .wad, .tlg, .say, .sas7bdat, .qbm, .qbb, .ptx, .pfx, .pef, .pat, .oil, .odc, .nsh, .nsg, .nsf, .nsd, .mos, .indd, .iif, .fpx, .fff, .fdb, .dtd, .design, .ddd, .dcr, .dac, .cdx, .cdf, .blend, .bkp, .adp, .act, .xlr, .xlam, .xla, .wps, .tga, .pspimage, .pct, .pcd, .fxg, .flac, .eps, .dxb, .drw, .dot, .cpi, .cls, .cdr, .arw, .aac, .thm, .srt, .save, .safe, .pwm, .pages, .obj, .mlb, .mbx, .lit, .laccdb, .kwm, .idx, m11, .html, .flf, .dxf, .dwg, .dds, .csv, .css, .config, .cfg, .cer, .asx, .aspx, .aoi, .accdb, .7zip, .xls, .wab, .rtf, .prf, .ppt, .oab, .msg, .mapimail, .jnt, .doc, .dbx, .contact, .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .wallet, .upk, .sav, .ltx, .litesql, .litemod, .lbf, .iwi, .forge, .das, .d3dbsp, .bsa, .bik, .asset, .apk, .gpg, .aes, .arc, .paq, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .nef, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .mdb, .sql, .sqlitedb, .sqlite3, .pst, .onetoc2, .asc, .lay6, .lay, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .dot, .max, .xml, .txt, .csv, .uot, .rtf, .pdf, .xls, .ppt, .stw, .sxw, .ott, .odt, .doc, .pem, .csr, .crt, .key

All files which are encrypted will have the .thor extension appended to them and their names changed to random symbols. The encryption algorithm that Locky claims to use according to its ransom note is RSA-2048 with 128-bit AES ciphers and that seems to be the case.

The Locky cryptovirus is almost certain to delete the Shadow Volume Copies from the Windows operating system with the following command string:

→vssadmin.exe delete shadows /all /Quiet

Continue reading to see how to remove this ransomware and to check out which methods you can use to try and decrypt some of your files.

Remove Locky Ransomware and Restore .thor Files

If your computer got infected with the Locky ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Locky.

Manually delete Locky from your computer

Note! Substantial notification about the Locky threat: Manual removal of Locky requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Locky files and objects
2.Find malicious files created by Locky on your PC

Automatically remove Locky by downloading an advanced anti-malware program

1. Remove Locky with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Locky
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.