Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransom.Locker infected! .thor


  • This topic is locked This topic is locked
8 replies to this topic

#1 KamylsoN

KamylsoN

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 10 November 2016 - 01:38 PM

Hi! I got infected by this bleep..

A extension of encrypted files is .thor

Screenshoot of .html

http://screenshot.sh/n9C6PixDnAMVN

This encrypted my every one photo with my family.I'm so unhappy right now. If this isn't enough tell me what give more. 

Virus was in .js file sended by an email.

 

ID ransomware can't find a encrypt type for my files.


Edited by KamylsoN, 10 November 2016 - 01:41 PM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:19 PM

Posted 10 November 2016 - 01:57 PM

It is Locky, your files cannot be decrypted. ID Ransomware did not identify it because it seems you renamed the file before uploading it. Locky will completely rename the files to 36 characters alphanumeric and with dashes, plus the ".thor" extension. If you renamed it to something like "12345.thor" or added the original extension like "22D01D6C-2257-7468-0AA2-B6F7ECD2379F.doc.thor", it will not pick up on it to avoid false-positivies.

 

Please see the article and support threads for more information. You can only either restore from backups, try Recuvra and ShadowExplorer, or pay the ransom.


Edited by Demonslay335, 10 November 2016 - 01:58 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 KamylsoN

KamylsoN
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 10 November 2016 - 01:59 PM

 

It is Locky, your files cannot be decrypted. ID Ransomware did not identify it because it seems you renamed the file before uploading it. Locky will completely rename the files to 36 characters alphanumeric and with dashes, plus the ".thor" extension. If you renamed it to something like "12345.thor" or added the original extension like "22D01D6C-2257-7468-0AA2-B6F7ECD2379F.doc.thor", it will not pick up on it to avoid false-positivies.

 

Please see the article and support threads for more information. You can only either restore from backups, try Recuvra and ShadowExplorer, or pay the ransom.

 

So I will never get my files back?



#4 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:12:19 PM

Posted 10 November 2016 - 02:48 PM

Currently, there is no free decryption method for Locky variants. It is unknown if or when a solution will be found. All you have for now are the suggestions Demonslay made in his post.

 

You should post in and monitor the Locky topic in the future.

 

http://www.bleepingcomputer.com/forums/t/605607/locky-ransomware-zepto-support-and-help-topic-help-instructionshtml/


Edited by cybercynic, 10 November 2016 - 02:50 PM.

We are drowning in information - and starving for wisdom.


#5 riche76

riche76

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 10 November 2016 - 02:53 PM

Demonslay335 - Check your deleted items in the windows recycle bin

 

My friend has .THOR ransomware and in his deleted items we found all his my documents folder.

 

It seems to create an encrypted copy then delete the originals but they forgot the final empty of the recycle bin!

 

It wasn't prefect as his my pictures wasn't there but we're restoring all those nicely with Photorec so we will see.....



#6 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:12:19 PM

Posted 10 November 2016 - 02:58 PM

its KamylsoN who needs to check the recycle bin. It's true that the ransomware down't always work properly - that's why Demonslay suggested using Recuva and Shadow Explorer. Sometimes, you get lucky with Locky.


We are drowning in information - and starving for wisdom.


#7 KamylsoN

KamylsoN
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 10 November 2016 - 04:02 PM

Demonslay335 - Check your deleted items in the windows recycle bin

 

My friend has .THOR ransomware and in his deleted items we found all his my documents folder.

 

It seems to create an encrypted copy then delete the originals but they forgot the final empty of the recycle bin!

 

It wasn't prefect as his my pictures wasn't there but we're restoring all those nicely with Photorec so we will see.....

 

its KamylsoN who needs to check the recycle bin. It's true that the ransomware down't always work properly - that's why Demonslay suggested using Recuva and Shadow Explorer. Sometimes, you get lucky with Locky.

oke ill check recuva :) Shadow doesnt work for me :/

 

Recuva doesnt work too :/ God damn it... bleep my life.


Edited by KamylsoN, 10 November 2016 - 04:13 PM.


#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:19 PM

Posted 10 November 2016 - 04:17 PM

I've had ShadowExplorer work for one or two victims of Locky when they were lucky about it failing to delete the shadow copies, and Recuva has saved a few pictures in some cases, but it is case-by-case for each victim. Always worth a try since the programs are free, but it is never guaranteed to work of course. Having proper backups are the only guarantee - let this be an unfortunately hard lesson for the future.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:19 PM

Posted 10 November 2016 - 04:36 PM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users