Infected with THT Ransomware? Need to decrypt your files?
What is THT Ransomware
THT Ransomware is a cryptographic virus, created by TimisoaraHackerTeam, which became most active at the end of June this year. Like many similar extortionists, it encrypts key and most valuable user files, such as documents, photos, video files and much more. After encryption, the user cannot open these files, because the virus changes their extensions. Sometimes, the virus targets server systems. It is impossible to decrypt files independently because the virus deletes all system restore points and backup copies of files. The main task of THT Ransomware’s developers is to make you pay to decrypt your files. That’s why the developers have created a special text file Readme unlock.txt, which opens with each attempt to open the file:
with following content:
Hello. Sorry, your company's server hard drive was encrypted by us.
We use the most complex encryption algorithm (AES256). Only we can decrypt.
Please contact us: TimisoaraHackerTeam@protonmail.com (Please check spam, Avoid missing mail)
Identification code: ******* (Please tell us the identification code)
Ransom: Please pay 10 bitcoins. After the payment is successful, we will tell the Password.
(If the contact is fast, we will give you a discount.)
In order for you to believe in us, we have prepared the test server. Please contact us and we will tell the test server and decrypt the password.
How to buy and pay for Bitcoin:
Or you can google search "How to buy Bitcoin"
If you know other trading websites better.
We are a professional hacker team, not a virus. We only take directional attacks. We know everything about your company. If you refuse to pay, we will disclose important documents that we have (file, email, contracts and many more).
We are a reputable organization and definitely not a liar. Our business covers more than 20 countries around the world. There are hundreds of companies that have successfully unlocked.
As follows from this text, the user must pay 10 BTC to get a special key or utility that decrypts user files, however, this is a trap. Scammers will get your money and do nothing in return. We strongly recommend that you do not pay, and not lead to such tricks. You can try decrypting your files using special utilities. Below we give examples of these programs and possible ways to restore files.
How THT Ransomware infected your PC
Recently, very often it comes as an email attachment during an advertising spam mailing. The main reason for the penetration of THT Ransomware is the insecurity of your networks. Sometimes it is enough to have the necessary set of utility programs, preventing the penetration of such viruses, for example
HitmanPro.Alert with CryptoGuard.
First of all, don’t panic. Follow these easy steps below.
1. Start your computer in Safe Mode with networking. To do that, restart your computer, before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the THT Ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.
Norton is a powerful removal tool. It can remove all instances of newest viruses, similar to THT Ransomware – files, folders, registry keys.
*Trial version of Norton provides detection of computer viruses for FREE. To remove malware, you have to purchase the full version of Norton.
Step 2: Remove following files and folders of THT Ransomware:
Related emails and folders:
Remove following files:
How to decrypt files infected by THT Ransomware?
Use automated decryption tools
There is ransomware decryptor from Kaspersky that can decrypt Spora files. It is free and may help you restore files encrypted by THT Ransomware virus. Download it here:
You can also try to use manual methods to restore and decrypt your files.
Decrypt files manually
Restore the system using System Restore
Although, latest versions of THT Ransomware remove system restore files, this method may help you to partially restore your files. Give it a try and use standard System Restore to revive your data.
- Initiate the search for ‘system restore‘
- Click on the result
- Choose the date before the infection appearance
- Follow the on-screen instructions
Roll the files back to the previous version
Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged (in our case – THT Ransomware by THT Ransomware). This feature is available in Windows 7 and later versions.
- Right-click the file and choose Properties
- Open the Previous Version tab
- Select the latest version and click Copy
- Click Restore
Restore .REBUS files using shadow copies
- Download and run Stellar Data Recovery.
- Select type of files you want to restore and click Next.
- Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
- Once the scanning process is done, click Recover to restore your files.
Protect your computer from ransomware
Most modern antiviruses can protect your PC from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach t protect from ransomware and lockers. One of the best is HitmanPro.Alert with CryptoGuard. You may already know HitmanPro as famous cloud-based anti-malware scanner. Check out ultimate active protection software from SurfRight.
Written by Rami Douafi