.Thor ransomware virus removal

A few days ago, a group of malware developers, which is responsible for the development of one of the most dangerous ransomware in recent years, has proved itself again. The new version of their Locky ransomware is called Thor, it encrypts files and assigns the appropriate extension. All the characteristics of the virus are the same, including the names of instructions, penetration scheme and used encryption algorithms. Redemption amount is 3 BTC (more than $ 1900). In the penultimate version of Locky, called Odin, redemption amount was the same, but in the version published last week, which is assigned to the file extension .shit, redemption was only 0.5 BTC. Regardless of the redemption amount, we strongly recommend that you do not have to pay the extortionists, as every dollar paid to them will help to create more and more new malware. Most importantly, even if you pay the ransom, you have no guarantee that hackers decipher your files. It is safest to wait, until a special program for .thor files decrypting will be created.

Locky still actively uses spam e-mails to infect users' computers. Most often, these are messages from courier or delivery services, which states that you have received the parcel, and you need to print a document in the attachment, and with it come the nearest company office. It is also sometimes used a system called "You won." The user receives a letter in which it’s said that he won in some obscure contest or minor lottery, and to pick up the prize you should print a document (an invitation, a lottery ticket or anything else) from attachment. The aim of all these reports is the same: to lull the user's attention and get him to open an attachment that contains a malicious file. The virus is spread in two ways: as a ready installation file, and a script which initiates the download of the virus from one of C & C servers. In any case, since penetration to the start of work extends no more than a few minutes. First, the virus searches for files that often are the main custodians of information: .txt, .jpg, .png, .PDF, .xlsx. These files are encrypted in the first place, followed by everyone else. Here is the complete list of extensions that Locky is able to encrypt:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

Unfortunately, this list gets virtually all types of files that can be stored on a computer of the average user.

It is impossible to decrypt Locky files without both encryption keys. Asymmetric encryption AES-256 is so complicated that user might spend thousands of years on the most powerful computers to break it. A few years ago, there was a loophole for users to recover files, called Shadow Volume Copies. This is a built-in service of Windows OS, which, when enabled, saves files to before they are edited or deleted. Unfortunately, all versions of the Locky virus are able to delete shadow copies, although sometimes they will not succeed, because of the specific combination of system settings and the version of the virus. Currently, the only way to restore files is to download the backup. Before you load the backup, you should completely remove the virus from your PC, and thoroughly scan it with antivirus software. After that, download a backup, and use the computer as usual. If you do not have a backup, then the only right way is to remove the virus, and wait until reliable decryptor for .thor files will be developed.

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Antivirus scanner

Why we recommend SpyHunter antimalware as removal tool

Removes virus fully: all files and even registry keys of malware will be deleted

Protects your system in the future

24/7 free support team

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

Add comment

Security code

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.