Remove Thor ransomware and decrypt .thor extension files


As the recent Thor ransomware release has demonstrated, the threat actors in charge are adding a fair degree of incoherence to the average time span between different variants of the Locky crypto epidemic. Whereas the timing used to be on the order of three months, it took the bad guys as little as one day to switch from the previous .shit edition to the current .thor file extension variant.

At first sight, there doesn’t appear to be much novelty introduced in the updated strain. The main propagation vector is still spam-supported. As before, the Tor (The Onion Router) page for paying ransoms goes by the name of the “Locky Decryptor Page”. And yet, this wouldn’t be an upgrade if no new distinct properties were added to the code. One of the changes has to do with filename tweaks. The ransomware now subjoins the .thor extension to flag every data entry it has encrypted. The rest of the filename structure turns into a muddle of 32 hexadecimal chars split into five distinct groups with hyphens in between, for instance, A7CED3B3-4F85-1157-1D18-D674D3F44E82.thor.

A fundamental difference of this iteration from Locky’s older versions is that it encrypts data offline. When in this “autopilot” mode, the ransomware is more difficult to detect simply because it already goes with a private RSA key and needn’t get one from a Command & Control server. Consequently, Thor doesn’t produce suspicious traffic that might otherwise be a wakeup call for the Firewall.

Ransom notes, new desktop background and encrypted .thor files

The basic set of instructions regarding data decryption is highlighted in ransom manuals that the
[protected]Thor virus[/protected]
creates on the desktop and sprinkles throughout the infected computer’s folders with files. The new names thereof are as follows: _[random digits]_WHAT_is.html, _WHAT_is.html, and _WHAT_is.bmp. The BMP format file will forcibly replace the desktop wallpaper to add an additional layer of victim interaction. The wording in all of these messages didn’t undergo modifications compared to the previous version. The warning still says, “All of your files are encrypted with RSA-2048 and AES-128 ciphers,” which is true. This means that Thor has already scanned the computer for personal files and encoded them all with a rock-solid alloy of symmetric and asymmetric cryptosystems.

The ransom notes provide several Tor links with or domain identifiers. Technically, these pages are hidden web services that host the Locky Decryptor Page. When on this resource, a victim will learn how much to pay for the automatic decrypt tool. The ransom size is usually in the range of 0.5-1 Bitcoin.

Thor mainly arrives at systems through phishing. Spam emails with attachments pretending to be some order details, invoices, cancellation forms, receipts or job offers may look trustworthy, but once a user double-clicks on the attached ZIP file, an obfuscated JavaScript or VBScript loader will execute the offending code on the machine in a matter of seconds. To prevent this attack, therefore, opening files that go with suspicious spam emails should be off limits. Most importantly, make data backups on a regular basis. If the attack has taken place, do not panic. Start with the methods below to get rid of the infection and try to restore .thor files without submitting cryptocurrency to the extortionists.

Thor virus removal

As counterintuitive as it is, removal of this particular threat is not too complicated unlike the cleanup scenarios for screen lockers, which represent another group of ransomware infections on the loose. The main challenge in regards to Thor is getting personal files back without having to do what the extortionists want. Basically, this means you can get rid of the malady using efficient security software without much of a hindrance, but options for recovering the encrypted data are a matter of a separate discussion, which we will touch upon in this guide as well.

Let’s now outline a rather easy and perfectly effective way of ransomware removal from a contaminated computer. Please follow the directions below step by step:

  1. Download and install HitmanPro.Alert
  2. Supports: Windows XP, Vista, 7, 8, 8.1, 10
  3. Open the program, click on the Scan computer button and wait for the scan to be completed
  4. When HitmanPro.Alert comes up with the scan report, make sure the Delete option is selected next to the ransomware entry and other threats on the list, and get the infections eliminated by clicking on the Next button

Restore encrypted files using Shadow Copies

Now you’ve got both some good and bad news. On the one hand, Thor is gone from your computer and won’t do any further damage. On the other, your files are still encrypted, since elimination of the malware proper does not undo its previous misdemeanors. In the next section of this guide we will highlight methods that may help you restore your data.

As it has been mentioned above, despite successful removal of Thor the compromised files remain encrypted with the AES and RSA algorithms. While it does not appear possible to obtain the key for decryption in this case even with brute-forcing, you can try to restore previous versions of these files either using the native Windows functionality or the application called Shadow Explorer. Please note that this method is only applicable in case you have System Restore enabled on your PC, and the versions of the files that you can recover this way may not be the most recent. It’s definitely worth a try, though.

Getting your files back using Previous Versions functionality


Windows provides a feature where you can right-click on an arbitrary file, select Properties and choose the tab called Previous Versions. Having done that for a particular file, you will view all versions of it that were previously backed up and stored by the so-called Volume Shadow Copy Service (VSS). The tab also provides the history of these backups by date.
In order to restore the needed version of the file, click on the Copy button and then select the location to which this file is to be restored. In case you would like to replace the existing file with its restored version, click the Restore button instead. Conveniently enough, you can have whole folders restored the same way. 

Restoring encrypted data with Shadow Explorer utility


Besides the built-in Windows functionality highlighted above, you can use an application that will restore previous version of entire folders for you. It’s called ShadowExplorer. Once you download and launch this program, it will display all of your drives as well as a list of dates when Shadow Copies were generated. Simply pick the desired drive and date for restoration, as shown on the following screenshot:
Right-click on the directory you wish to restore and choose Export in the context menu. This will be followed by a request to indicate where you would like to restore the information to.

Use automatic recovery software

It might sound surprising, but Thor does not encrypt one’s actual files. It deletes them. What does get encrypted is the copies. This brings us to the point where a specific type of software can be used for dragging the original data out of memory, where it ended up after the erasure. Efficient recovery tools can work wonders in these ransomware scenarios.

Download and install Recuva by Piriform to give this restoration vector a shot. By running a computer scan with Recuva, you will get a list of all recoverable files and be able to reinstate them to their original location or another place of choice.

Bottom line

Thor poses a critical risk to one’s personal information therefore the focus security-wise should be made on prevention. In this context, some basic precautions can do the trick: refrain from opening email attachments from unknown senders and schedule regular antivirus software updates. Furthermore, performing data backups is a remarkable habit that will help evade the adverse aftermath of this attack.


Please enter your comment!
Please enter your name here