ThunderCrypt – Remove and Restore Encrypted Files - How to, Technology and PC Security Forum |

ThunderCrypt – Remove and Restore Encrypted Files

This article is created to help you remove ThunderCrypt ransomware infection from your computer and restore AES and RSA encrypted files.

A ransomware infection known as ThunderCrypt has been reported to use a strong combination of AES and RSA ciphers to encrypt the files on the computers infected by this ransomware infection. The virus then leaves behind a ransom note, where it demands from victims to pay approximately 0.3 BTC in order for their files to be decrypted and restored back to normal. In case you have become a victim of ThunderCrypt ransomware, recommendations are to focus on removing the virus and restoring your data. It is strongly advisable to read this article in case you have become a victim of ThunderCrypt ransomware.

Threat Summary



Short DescriptionEncrypts files on the computers it infects asking a hefty ransom fee to be paid – 0.345 BTC.

SymptomsThe victim may not be able to open the files. Displaying of error messages. Dipslaying of the virus wallpaper and ransom note.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by ThunderCrypt


Malware Removal Tool

User ExperienceJoin our forum to Discuss ThunderCrypt.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

ThunderCrypt Ransomware – Distribution

For the infection process of ThunderCrypt ransomware, different types of malicious tools may be used:

  • Exploit kit software.
  • JavaScript (.js) files.
  • Microsoft Office or Adobe PDF documents with malicious macros.
  • Intermediary malware such as downloaders and droppers.
  • Multiple other malicious files.

The files for which this ransomware is responsible in connection to it’s distribution may usually be spread via different types of methods, such as:

  • Via malicious spam e-mails sent to victims as form of legitimate documents or web links.
  • Via seemingly legitimate files sent out to users in order to trick them into downloading them from online file sharing services, like Dropbox.
  • Via fake updates, pretending to fix Java or Adobe Flash.
  • Via fraudulent license activators, keygens and other types of files as well.

An example of an attachment sent via e-mail can be seen below, asking the victim to enable macros:

ThunderCrypt Ransomware – Activity

After the victim has been already infected, the intermediary malware of ThunderCrypt connects to a remote host and may download multiple malicious files on the compromised computer. On of those files is detected to be eyny.exe and besides it, other support modules may also be downloaded:

.dll, .bat, .vbs, .tmp, .reg, .exe, .js

These files may reside in the following Windows system folders:


The malicious files, also called modules are responsible for the malicious activity of ThunderCrypt ransomware, including the encryption of the files of the victim PC. For starters, the ThunderCrypt virus may attack multiple different registry entries in order to make it’s malicious file that encrypts data run on Windows start-up. The targeted Windows keys for this purpose are the following:


In addition to performing modifications in the Windows Registry Editor, this ransomware infection may also delete the Shadow Volume copies (back ups) of the compromised computer. This happens by running a process in the background that opens cmd.exe and types the following commands in the background:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

After this has been performed, the virus may drop it’s distinctive ransom note, named ThunderCrypt. It has a screen with a timer that has the following message to affected users:

Good afternoon!
We have encrypted all your personal files!
To see the list of encrypted files click here.
We did this using hybrid RSA-2048 public key encryption. It basically means there is no way to decrypt your files without the private key. The private key is stored on our server.
Indeed, we can recover your files. You just have to pay us before the deadline (see the countdown). If you don’t the private key will be securely erased from our server and you will lose encrypted files forever.
Transfer required amount (see on the left) to the Bitcoin address below, which was generated just for your payment. If you don’t know how to use Bitcoin or where to buy Bitcoins, click here. As soon as the transaction gets confirmed, the decryption will start automatically. It usually takes about 30 minutes for a transaction to become confirmed. You will be notified about any progress.
WARNING. Antivirus software may remove this program, but it can’t decrypt your files. So, better temporarily disable your antivirus, because we can’t decrypt your files if this program is damaged. Also, do not modify any of the encrypted files, otherwise even we won’t be able to recover them.
If you have any questions or if you encounter any problems with payment, feel free to contact us.
Also we can decrypt one file up to 3 MiB for free as a proof that decryption is possible.

.ThunderCrypt – Encryption Process

In order to encrypt files, ThunderCrypt ransomware uses a strong combination of AES and RSA ciphers. The AES cipher aims to encrypt the files themselves and generate a unique key and the RSA cipher is there to generate public and private key for each file or set of files. The information is then sent to the cyber-criminals and has a unique ID in it by which they can distinguish different infections. The targeted files for encryption may be the following:


The ThunderCrypt virus is very careful not to encrypt important Windows files, so that the operating system works and has active connection. It may skip encrypting the files in the important Windows system folders.

Remove ThunderCrypt Ransomware and Restore Data

Before actually performing the removal of the ThunderCrypt infection, recommendations are to always backup the encrypted files. After doing so, it is strongly advisable to follow the instructions below. They will help you remove ThunderCrypt either manually or automatically. Security experts always outline the automatic approach as the best solution. It includes scanning the computer with a tool specifically designed to remove malware, such as ThunderCrypt thoroughly and swiftly.

After having removed ThunderCrypt ransomware, you may want to try the alternative tools for file restoration in step “2. Restore files encrypted by ThunderCrypt” below. They are not 100% effective, but in some scenarios may restore a huge chunk of your data.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share