I got hit by the Locky ransomware

[blank]

A couple of days ago I was backing up some company server data, among which were some email inboxes. After downloading the archives I opened one of the emails to make sure the backup was successful. Apparently, that was a spam email with an infected attachment, so I lost all my data. All my files are encrypted with the .thor extensions, and I have a ransome note saying to visit jhomitevd2abj3fk.onion.

From what I found online, this is an old ransomware (from around 2016), and there isn't a known way to decrypt the files. I've lost some stuff with quite a lot of sentimental value, and I don't really know how to proceed forward. I've been through a panic attack these days, but I am trying to snap out of it.

I've tried to access the link to at least see how much my data is worth. But, apparently, because Tor updated its infrastructure, these short links (V2 from what I understamd) are no longer supported, so I cannot access the page.

I guess the reason I'm writing this is to vent, because I feel I really need to tell somebody about this, but also to see if anyone has any suggestions. I know I can't decrypt the files without the key, so I don't really know what I expect to receive, but I'm writing nonetheless.

Also, does anyone, by any miracle, happen to know of an updated ransome link for this malware? The articles I've read from back in the day say that when the virus was active, the ransom requested was around $300. Against my better judgement and all advice, I think I would be willing to pay that amount for my data, if I were able to access the site.

[Kurapica]

Sorry for what I'm about to say, but you are running a server and you don't have any air-gapped backups ?

Short story is "you are fu⁠cked", I wouldn't waste any more time searching for a solution, I know it can be a heavy loss but

it is time you started taking security more seriously, educate yourself and build your world again.

Good luck.

[whoknows]

@blank c /AutoLocky decryptor/ @ emsisoft.com/en/ransomware-decryption/

2016 - forum.eset.com/topic/7762-locky/

@Kurapica hi!

[Teddy Rogers]

@blank give Shadow Explorer a try, you may get lucky at recovering some of the files...

Bit of a guide here on how to use it...

https://www.bleepingcomputer.com/tutorials/how-to-recover-files-and-folders-using-shadow-volume-copies/#shadow-explorer

Ted.

[blank]

@KurapicaIt's not my server, and the server isn't the problem. It was an old hosting subscription, both made and abandoned long before I joined the company. They finally decided to shut it down, so my job was to just back up whatever I can find on it before they do so.

The stupid part on my side was that I opened the email to make sure the backup was usable, and it didn't cross my mind at the time that they could be infected.

I did this on my own computer, so it's my personal files that I lost. I had some physical backups and my important files were on a NAS that somehow survived, although it was mapped as volumes on the infected PC (thank God for incompetent hackers...) I didn't have everything backed up though, so I lost some documents, as well as photos and other memories.

@whoknowsThanks for the reply! AutoLocky does not apply unfortunately, emsisoft does not have anything for this ransomware. And the forum article just confirms what I knew, that the files cannot be decrypted.

@Teddy RogersThanks for the suggestion! I haven't tried Shadow Explorer. I am not sure if that would still work in my case though. I removed the drives from my pc (as I didn't want to turn it on and risk having the virus auto-start and delete even more files). I connected each drive to another PC via a USB adapter. Would that still allow me to use Shadow Explorer? I don't really know how that tech works and where it stores the extra info, and if it is OS-dependent or not.

[jackyjask]

9 hours ago, blank said:

that I opened the email

you did not run any attachments but just opened up an email ???  -> somehow magically ransomware was activated and started to shred the data?... hm hm

was that online emailer like gmail or some offline email client?

[CodeExplorer]

Thor source code:
https://github.com/Bitwise-01/Thor
Thor is a ransomware.
It uses RSA-2048 with AES-128 to encrypt files.
I think it is impossible to decrypt files.
 

[blank]

@CodeExplorer Thanks for the reply! I am not sure that is the actual ransomware. This article describes the exact behavior as I saw: https://www.pcrisk.com/removal-guides/10597-thor-ransomware

[Kurapica]

10 hours ago, jackyjask said:

you did not run any attachments but just opened up an email ???  -> somehow magically ransomware was activated and started to shred the data?... hm hm

was that online emailer like gmail or some offline email client?

Most probably activated via scripts inside office documents on PCs with vulnerable office versions.

[HuD_HuD]

https://www.emsisoft.com/en/ransomware-decryption/autolocky

 

did you try this??