Remove Thor File ransomware

How to Remove Thor File Extension Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:


    All of your files are encrypted with RSA-2048 and AES-128 ciphers.
    More information about the RSA and AES can be found here:
    Decrypting of your files is only possible with the private key and decrypt program, All which is on our secret server.
    To receive your private key follow one of the links:
    If all of this addresses are not available, follow these steps:
    1. Download and install Tor Browser:
    2. After a successful installation, run the browser and wait for initialization.
    3. Type in the address bar: jhomitevd2abj3fk.onion/5DYGW6MQXIPQSSBB
    4. Follow the instructions on the site.
    !!! Your personal identification ID: 5DYGW6MQXIPQSSBB !!!

Who knew hackers would turn out to be Marvel fans? Well, the .Thor file extension is a proof crooks enjoy the mighty Asgardian God. This particular extension is a sign that something malicious is now on your PC. Ransomware. To be more precise, you’re stuck with a brand new version of the Locky Ransomware. Just like in the popular comic books, Thor and Locky are partners in crime. However, while the original duo is very entertaining, its ransomware variant is dreadful. Locky has already established itself as a particularly nasty infection. It’s wreaking havoc all over the world and causes thousands of PC users a headache. This is a file-encrypting parasite. By using a highly complicated cipher, the virus locks your data. All of it. We’re talking a huge percentage of formats including pictures, music and MS Office documents. The files that Locky encrypts become unreadable. That is because this pest changes their extension. It adds the .thor appendix to the target data. Therefore, seeing this extension means your information is no longer accessible. Your own files on your own computer. Think about it. The infection locks your files and keeps them hostage. Your computer won’t be able to recognize your files’ new format so you won’t be able to use your data. Simple as that. Ransomware’s tactics are, without a doubt, among the most devious and unfair ones online. The Locky Virus utilizes a mixture of two ciphers – RSA and AES. It actually renames your files. For example, Mjolnir.jpg gets renamed to 0H3MR5KE-K2K1-BA00-334X-K409XMHH3A76.thor. Apart from creating a mess on your machine, this trick also causes you damage. As mentioned, this program messes with the original formats of your data. It leaves you with unreadable, inaccessible, practically useless files. Furthermore, it asks for a ransom. The reason why Locky encrypted your files in the first place is so hackers could steal your money. Remember, these programs are attempting to scam you. While locking your data, the virus drops _WHAT_is.html and _WHAT_is.bmp files. They contain detailed payment instructions. According to the ransom messages, you only have one chance to restore your information. All you have to do is pay 0.50 Bitcoin (almost 330 USD). Now, you shouldn’t pay the money for plenty of reasons. Number one – crooks are unreliable. It is very likely that they will not keep their end of the bargain. Number two – by paying, you’d be exposing personal information. That means hackers could cause you some serious privacy issues. Number three – PC specialists constantly work on decryption tools. You might be able to restore all your locked files without paying crooks a single cent.

How did I get infected with?

Ransomware gets spread online the same way most parasites do. Via stealth and lies. In order to prevent malware installation, you have to be cautious on the Web all the time. Keep an eye out for infections and don’t overlook any potential threat. Trust us on this one, prevention is the easier option. Having to uninstall a virus afterwards is significantly more problematic. Now, ransomware might have pretended to be some legitimate email/message. Not only is this the oldest method online but it’s also the most effective one. In the future, stay away from random email-attachments and messages from unknown senders. Those might be hiding a vicious intruder. Also, avoid unverified websites/freeware bundles. Some infections get disguised as program updates. Some viruses use Exploit Kits to travel the Web. Last but not least, ransomware often uses the help of Trojan horses. You should definitely check out the computer for more parasites. Locky may not be the only piece of malware currently on board.

remove Thor File Extension

Why is Thor File Extension dangerous?

The .Thor extension is a red flag for huge trouble. As mentioned, it’s added by one of the most aggressive and dangerous programs online. Ransomware only has one goal and it certainly doesn’t involve your encrypted, unreachable files. On the other hand, it involves quite a lot of money. You must keep in mind that Locky is now on board to blackmail you. Even though its developers promise a decryptor, you should know better than to trust them. Are you willing to give crooks hundreds of dollars without receiving anything in exchange? Are you willing to get scammed? Keep your Bitcoins and don’t let cyber criminals harass you. Ignore the parasite’s bogus ransom notes. Paying the money isn’t an option as that would only worsen your situation. To delete the virus manually, please follow our removal guide down below.

Thor File Extension Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Thor File Extension Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.


  • Locate any suspicious processes associated with Thor File Extension encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Thor File Extension encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.


Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment