The newest iteration of Locky ransomware using the thor file extension continues to evolve and infect, using newer and newer methods to be spread. The virus has been made by experts in the field and distributed in massive and organized proportion. In this article we have included more information about this nasty threat and methods to remove it completely from your computer as well as other alternative solutions to restore your files.
Download Malware Removal Tool, to See If Your System Has Been Affected By Locky Ransomware Virus and scan your system for .SHIT virus files
What Is New in Locky .thor?
The first new modification about this specific virus is primarily connected to the way it disrtributes. Unlike the previous variants, the newer one now uses a rich mixture of file types to cause the infection. We have detected primarily the .wsf, .js, .hta, .zip, .vbs, .bin file extensions being used but there have also been reports on infections by Locky .thor ransomware occurring the following ways:
- Via .vbs type of files that download malicious .dll files.
- Via .pdf files, such as DSCF1223.pdf that deliver the malware through spam.
Locky’s spam distributors are quite cunning as well. They use e-mail subjects such as “Transaction Declined”, “Your Receipt” and similar to trick inexperienced users that the file which is actually Locky is of utmost importance and must be opened.
The developers of Locky ransomwre have also included new features in their virus, such as a feature that stops the malware from encrypting files if it is ran on a Virtual Drive player, like VirtualBox for example. This is due to the new feature of Locky that allows it to detect when it is ran on an actual computer and a virtual machine.
What Does Locky .thor Do?
In terms of after being infected with the virus, the procedure is relatively standard. First, the Locky .thor ransomware variant connects to one of the many payload hosts, little of which we see on the picture below:
After being connected to those websites and downloaded the payload, the ransomware virus also performs several other activities, like deleting shadow copies of the infected computer. This is achievable by the vssadmin command, for example:
After any backups are deleted, the .thor ransomware may get straight to the point and begin encrypting the files on the compromised computer. The file extensions which are associated with the .thor variant are reported by researchers to be the following:
As soon as a file corresponds to the extension supported by Locky, the virus immediately begins to encrypt it’s data so that the file becomes no longer openable.
Two very advanced encryption algorithms are used, the AES-128 bit most likely to change the structure on the files and the RSA-2048 to encrypt the decryption keys after sending them to one of the command and control servers of Locky.
How to Counter Attack Locky’s .thor Variant and Get The Data Back
At this point it is not recommended that you try and pay the ransom – it will not get your encrypted files back. Instead, malware researchers advise to use an automated anti-malware software (for maximum effectiveness) to remove Locky’s .thor variant thoroughly and to back up the encrypted files.
Download Malware Removal Tool, to See If Your System Has Been Affected By Locky Ransomware Virus and scan your system for .SHIT virus files
You have several alternatives after the removal of Locky ransomware:
- To use shadow explorer and to check if the virus has failed or succeeded in deleting your file history.
- To try and scan your computer with data recovery programs.
- To use other third-party decryptors by Emsisoft or Kaspersky, just in case the encryptor is the same with other ransomware viruses which is not likely.
- To scan your hard drive with a data recovery software and attempt recovering your data which would be successful if you are lucky.
Whatever option you choose is up to you, but we strongly advise waiting for a decryptor to be released. As soon as there is one, make sure to follow this article as we will update it with a web link.