Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am a victum of Thor - What to do?


  • This topic is locked This topic is locked
3 replies to this topic

#1 ArchEnemyofBitcoin

ArchEnemyofBitcoin

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 09 November 2016 - 01:35 PM

I recently became a victim of the thor virus and my back-up was unfortunately plugged into the USB port a the time of infection and resulted in both my hard drive and back-up being exposed and encrypting all my critical data and image files to the .thor suffix. This si the first time I have ever incurred this sophisticated a virus and I have several questions. 

 

1. I'm registering on this site because there was a forum entitled How to Decrypt Thor without Paying the Ransom" but the forum is locked and I could not access it., so I'm starting a new one.

 

2. What is the earliest date that anyone has experienced thor (not locky).

 

3. Does anyone have an idea based on passed experience when a solution to this virus might occur?  One of my options is to shut down this computer and wait for a solution to un-encrypt the files, I'm looking for a timeframe if I chose this option? 

 

4. At this point the internet is providing a multitude of suggestions and several that are contradictory as an example:  remove vs don't delete the email that contained the virus, remove the virus from you computer then reload your back-up (not possible), remove the virus and use system restore (not possible the restore point has been deleted), remove the virus and use shadow explorer to restore (I've loaded shadow explorer but it doesn't seem to restore anything, last but not least remove the hard drive and send to a professional to try and recapture a previous version.  Can someone provide a plan that makes sense, my biggest fear is that removing the virus or the email that contained the virus might prohibit me from paying the ransom as a last resort.   

 

5.I have been made aware that some people have paid the ransom, I do not want to go this route but some of this data are my medical records, financial documents, and personal pictorial history of events in my life going back 25 years, I may not have a choice but to pay the ransom.  My question is does anyone have experience paying the ransom?   I've heard things about paying the ransom from: "it worked" to "the key sent didn't work" or even "I didn't get any response once I paid the ransom", does anyone have any experience?   



BC AdBot (Login to Remove)

 


#2 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 10 November 2016 - 05:48 AM

Hi ArchEnemyofBitcoin.
 
1. The thread has been locked, because we have one support topic for every ransomware family. I suggest you do the same and post your questions in Locky Ransomware (Zepto) Support and Help Topic - _HELP_instructions.html
Note that the file extension .thor is typical for a Locky infection.
 
2. I first heard of the .thor variant of Locky by the end of October 2016. The sample that was referenced by the news sites was uploaded to VirusTotal on 11. October.

3. There is no timeframe. A solution might never occur. Locky has been pretty successful so far in encrypting the files flawlessly, thus, making it impossible to create free decryption tools. There is a slight chance of law enforcement getting hands on the private keys that are in the hands of the attackers. But you cannot know if or when this will happen. Backup your encrypted files and registry, just in case. You only need to keep one ransom note of the infection to have the option of paying.

4. Locky deletes itself from the system after encryption, so you will most likely not find it there anymore. Your system might have other malware that downloaded Locky to your system. Backup your files and get help in Virus, Trojan, Spyware, and Malware Removal Logs.
Shadow Volume Copies are deleted by Locky, and file recovery is usually not possible.

5. I pass on this one. Just keep in mind that you would have to trust criminals on this one.

Best regards
Marie

Edited by Curie, 10 November 2016 - 05:51 AM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:44 PM

Posted 10 November 2016 - 06:58 AM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above Locky support topic discussion. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 56,421 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:44 AM

Posted 10 November 2016 - 05:50 PM

Submitted as REPORT item from ArchEnemyofBitcoin, adding to topic as feedback.:

 

 

Posted Today, 03:05 PM

Struppigel, on 10 Nov 2016 - 04:48 AM, said:snapback.png

Hi ArchEnemyofBitcoin.
 
1. The thread has been locked, because we have one support topic for every ransomware family. I suggest you do the same and post your questions in Locky Ransomware (Zepto) Support and Help Topic - _HELP_instructions.html
Note that the file extension .thor is typical for a Locky infection.
 
2. I first heard of the .thor variant of Locky by the end of October 2016. The sample that was referenced by the news sites was uploaded to VirusTotal on 11. October.

3. There is no timeframe. A solution might never occur. Locky has been pretty successful so far in encrypting the files flawlessly, thus, making it impossible to create free decryption tools. There is a slight chance of law enforcement getting hands on the private keys that are in the hands of the attackers. But you cannot know if or when this will happen. Backup your encrypted files and registry, just in case. You only need to keep one ransom note of the infection to have the option of paying.

4. Locky deletes itself from the system after encryption, so you will most likely not find it there anymore. Your system might have other malware that downloaded Locky to your system. Backup your files and get help in Virus, Trojan, Spyware, and Malware Removal Logs.
Shadow Volume Copies are deleted by Locky, and file recovery is usually not possible.

5. I pass on this one. Just keep in mind that you would have to trust criminals on this one.

Best regards
Marie

 

Thank you for your assistance, I have reposted my questions under the recommended forum. From what you are saying there appears to be little hope of recovering my data without paying the ransom? Even though neither of us feels that is the appropriate solution.

 

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users