.thor Files Virus - Remove Locky's Latest Strain - How to, Technology and PC Security Forum | SensorsTechForum.com

.thor Files Virus – Remove Locky’s Latest Strain


A brand new strain of the Locky ransomware has been found overnight by malware researchers after the variant with the .shit extension had been discovered. The authors of the virus have decided to bring the Norse mythology theme back to their ransomware projects, as we see the .thor extension being appended to encrypted files. To see how to remove the virus and how you can try to restore your files, read the whole article.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts your data and then displays a ransom message with instructions for payment.
SymptomsEncrypted files will have the .thor extension appended to them.
Distribution MethodSpam Emails, Email Attachments (.wsf, .js, .hta, .zip, .vbs, .bin), Google Docs
Detection Tool See If Your System Has Been Affected by Locky


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Locky.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Locky Ransomware – Delivery

The latest malware strain of the Locky ransomware uses Command and Control servers as a delivery method. Spam emails with an empty body, contain attachments which deliver a downloader to your PC. From then on the downloader pieces together the ransomware and encrypts your data. The email attachments look like legitimate documents, while the sender’s name, address, and email might be spoofed off of real companies and their employee data. The attachments are script holders or downloaders, and the used file types are: .wsf, .js, .hta, .zip, .vbs and .bin ones.

Here is an example of one such file detected by Payload Security:


Locky ransomware might also be spread around social media networks and file-sharing sites. One platform reported for delivering the malicious files is Google Docs. Do not open links, attachments and files which are suspicious or with an unknown origin. Before opening files, make sure they are not any of the above listed file types, including .exe ones. In addition, always perform a scan with a security tool, check the files for their signatures and size. You should pay a visit to the topic about ransomware prevention tips written in our forum.

Locky Ransomware – Description

Locky ransomware uses a new extension on encrypted files and that is the .thor extension. It can be said that the authors of the cryptovirus turn back to its roots – that is, if the Norse mythology was in the mind of the cybercriminals. Most extensions used by the ransomware were named after Thor, Odin, and Loki, who are all Gods in Norse mythology. Though, the crooks might have had Marvel’s comics and movies portrayal of the Gods in mind. What is even more interesting – Heimdallr is also a Norse God (son of Odin) and Heimdal Security is named after him. Are the malware creators mocking Heimdal Security? Or Anti-malware programs in general?

The virus utilizes C2 (Command and Control) servers for the delivery of its payload files as described in the previous section. The files contain a malicious script that downloads a .dll file on your computer. Once run, your computer system becomes infected. You can check out some of the C2 servers, down here:

  • yptehqhsgdvwsxc.biz/linuxsucks.php
  • fvhnnhggmck.ru/linuxsucks.php
  • krtwpukq.su/linuxsucks.php
  • tdlqkewyjwakpru.ru/linuxsucks.php

Locky ransomware can be downloaded from numerous download locations, some of which are listed below.

List with payload download sites

After the .DLL file is executed, it will encrypt your files and display a ransom note. Copies of this note will be spread in directories with encrypted files with the name _WHAT_is. One is a .bmp file and the other is a .html one, where the image file will be set as your desktop background.

The ransom note of the virus is the same as the variant with the .shit extension:


And when you load the _WHAT_is.html file, it will look like the following:


The text reads the following:


All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt program, All which is on our secret server.
To receive your private key follow one of the links:
1. http://jhomitevd2abj3fk.tor2web.org/5DYGW6MQXIPQSSBB
2. http://jhomitevd2abj3fk.onion.to/5DYGW6MQXIPQSSBB
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: jhomitevd2abj3fk.onion/5DYGW6MQXIPQSSBB
4. Follow the instructions on the site.
!!! Your personal identification ID: 5DYGW6MQXIPQSSBB !!!

The Locky virus virus to the service with payment instructions we have seen in past variants. The service can be accessed if you enter the name of an encrypted file (this is done to limit access to the service). You can see the site hidden on the TOR network in the picture below:


The Locky ransomware has no variants that have been decrypted, and the code for this one is from the same authors. Previously infected users with an older variant of this virus have reported that they could not recover their data even after paying the ransom. So, no reason exists for you to contact the cybercriminals or think about paying. Evidently, the crooks will simply continue to make other ransomware viruses.

File types that are currently being encrypted by the Locky ransomware are over 400 in number and have the following extensions:

→txt, .pdf, .html, .rtf, .avi, .mov, .mp3, .mp4, .dwg, .psd, .svg, .indd, .cpp, .pas, .php, .java, .jpg, .jpeg, .bmp, .tiff, .png, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .yuv, .ycbcra, .xis, .wpd, .tex, .sxg, .stx, .srw, .srf, .sqlitedb, .sqlite3, .sqlite, .sdf, .sda, .s3db, .rwz, .rwl, .rdb, .rat, .raf, .qby, .qbx, .qbw, .qbr, .qba, .psafe3, .plc, .plus_muhd, .pdd, .oth, .orf, .odm, .odf, .nyf, .nxl, .nwb, .nrw, .nop, .nef, .ndd, .myd, .mrw, .moneywell, .mny, .mmw, .mfw, .mef, .mdc, .lua, .kpdx, .kdc, .kdbx, .jpe, .incpas, .iiq, .ibz, .ibank, .hbk, .gry, .grey, .gray, .fhd, .ffd, .exf, .erf, .erbsql, .eml, .dxg, .drf, .dng, .dgc, .des, .der, .ddrw, .ddoc, .dcs, .db_journal, .csl, .csh, .crw, .craw, .cib, .cdrw, .cdr6, .cdr5, .cdr4, .cdr3, .bpw, .bgt, .bdb, .bay, .bank, .backupdb, .backup, .back, .awg, .apj, .ait, .agdl, .ads, .adb, .acr, .ach, .accdt, .accdr, .accde, .vmxf, .vmsd, .vhdx, .vhd, .vbox, .stm, .rvt, .qcow, .qed, .pif, .pdb, .pab, .ost, .ogg, .nvram, .ndf, .m2ts, .log, .hpp, .hdd, .groups, .flvv, .edb, .dit, .dat, .cmt, .bin, .aiff, .xlk, .wad, .tlg, .say, .sas7bdat, .qbm, .qbb, .ptx, .pfx, .pef, .pat, .oil, .odc, .nsh, .nsg, .nsf, .nsd, .mos, .indd, .iif, .fpx, .fff, .fdb, .dtd, .design, .ddd, .dcr, .dac, .cdx, .cdf, .blend, .bkp, .adp, .act, .xlr, .xlam, .xla, .wps, .tga, .pspimage, .pct, .pcd, .fxg, .flac, .eps, .dxb, .drw, .dot, .cpi, .cls, .cdr, .arw, .aac, .thm, .srt, .save, .safe, .pwm, .pages, .obj, .mlb, .mbx, .lit, .laccdb, .kwm, .idx, m11, .html, .flf, .dxf, .dwg, .dds, .csv, .css, .config, .cfg, .cer, .asx, .aspx, .aoi, .accdb, .7zip, .xls, .wab, .rtf, .prf, .ppt, .oab, .msg, .mapimail, .jnt, .doc, .dbx, .contact, .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .wallet, .upk, .sav, .ltx, .litesql, .litemod, .lbf, .iwi, .forge, .das, .d3dbsp, .bsa, .bik, .asset, .apk, .gpg, .aes, .arc, .paq, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .nef, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .mdb, .sql, .sqlitedb, .sqlite3, .pst, .onetoc2, .asc, .lay6, .lay, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .dot, .max, .xml, .txt, .csv, .uot, .rtf, .pdf, .xls, .ppt, .stw, .sxw, .ott, .odt, .doc, .pem, .csr, .crt, .key

All files which are encrypted will have the .thor extension appended to them and their names changed to random symbols. The encryption algorithm that Locky claims to use according to its ransom note is RSA-2048 with 128-bit AES ciphers and that seems to be the case.

The Locky cryptovirus is almost certain to delete the Shadow Volume Copies from the Windows operating system with the following command string:

→vssadmin.exe delete shadows /all /Quiet

Continue reading to see how to remove this ransomware and to check out which methods you can use to try and decrypt some of your files.

Remove Locky Ransomware and Restore .thor Files

If your computer got infected with the Locky ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Locky.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share