View Similar Pages


My Blog

Computer Security Tips

Tag : thor ransomware
2016

The Thor ransomware infection chain

The Windows infection dubbed Thor represents a widespread ransomware lineage. It started with a Trojan that encrypted victims’ files and appended them with the .locky extension. As the time went by, the criminals in charge were making tweaks to their code. The latest update has brought about a new .thor extension, new ransom notes, and a number of changes imperceptible to the naked eye.

Thor is the first sample from this family that completely switched from online to offline data encryption, although some unsuccessful experiments in this regard had taken place earlier. Offline, or autopilot, encryption means that the ransomware is a self-contained threat which can operate without reaching its Command and Control infrastructure for commands and crypto keys. To the average victim, this means that their security setup is less likely to detect the pest and prevent it from rendering their files inaccessible.

The way this malady proliferates isn’t too technically complex. Its distributors use a botnet to spawn numerous spam messages to a vast range of targets, including end users and organizations. When such an email is received, the recipient will see an attached file masqueraded as a budget forecast, invoice, subscription cancellation request, failed delivery report, order information or some other arresting document. The ZIP archive, when extracted, returns a JS or VBS file that activates the ransomware installation routine.

When inside a computer, this offending program encrypts all personal data, makes filenames unidentifiable and concatenates them with the .thor extension. Then, it drops ransom notes named _WHAT_is.html and _WHAT_is.bmp, the latter taking over the desktop wallpaper. These documents tell the victim to go to a Tor gateway called Locky Decryptor page and send 0.5 Bitcoins to a wallet address provided there. Unfortunately, there is no free tool that restores encrypted .thor files. The applicable defenses revolve around exercising caution with spam and having a plan B, where file backups pose the best mitigation strategy with ransomware.

Sources:

1. http://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-thor-extension-after-being-a-bad-malware/

2. http://soft2secure.com/knowledgebase/thor-files

3. https://www.hackread.com/history-evolution-locky-ransomware/

4. https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware