New Locky variant - THOR file extension

HCHTech

Well-Known Member
Reaction score
4,273
Location
Pittsburgh, PA - USA
Described on Bleeping Computer here. Just had a business customer hit this morning. Luckily the workstation AV stopped it so only a single shared directory on the server was hit, and we've got good backups. Still, one more to watch out for.

For this variant, the ransom note file takes the form of:

_**_WHAT_is.html

where "**" is a random or sequential number (not sure which). One more to add to my RMM script that looks for ransom notes.
 
Had a client infected over the weekend with this. Oddly it encrypted their entire documents folder but left pictures untouched.

They had McAfee LiveSafe and it failed to detect anything.
 
Came across one the other day - signed them up onto our protection as they only had avira and no backups.

Guessing there isnt a decryptor yet?
 
I had a business hit with it recently. He got lucky and something must have gone wrong because it only renamed the pdf files it never touched the word or excel files. If it did it would've been bad. They now understand the importance of having a backup process in place.
 
Back
Top