The THT Ransomware is an encryption ransomware Trojan that has been used in large and medium-sized ransomware campaigns. The THT Ransomware seems to have been produced by Romanian speakers, judging from its source code. The THT Ransomware attacks were reported in the final week of June 2018. The THT Ransomware, like the many ransomware Trojans that have been attacking computer users systematically, will take the victim's files hostage, encrypting them with a strong encryption algorithm. The THT Ransomware attacks seem to have been carried out taking advantage of poorly protected Remote Desktop access and targeted large servers. Fortunately, the THT Ransomware has been causing minimal damage since victims have had backup images of the targeted computers (making a strong case for the effectiveness of having file backups and backup images as a primary way of protecting data from attacks like the THT Ransomware.)
How the THT Ransomware Attacks a Machine
There is very little to differentiate the THT Ransomware from the countless encryption ransomware threats that are being used to extort computer users currently. The THT Ransomware's attack doesn't differ from the modus operandi of other threats; it will use the AES 256 encryption to make the victims' files inaccessible. The THT Ransomware targets the user-generated files, which may include files with the following extensions:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
The THT Ransomware's Ransom Demand
The THT Ransomware will deliver a text note in the form of a TXT file dropped on the infected computer's desktop. The message in the THT Ransomware's ransom note reads:
'Hello. Sorry, your company's server hard drive was encrypted by us.
We use the most complex encryption algorithm (AES256). Only we can decrypt.
Please contact us: TimisoaraHackerTeam@protonmail.com (Please check spam, Avoid missing mail)
Identification code: [random characters] (Please tell us the identification code)
Ransom: Please pay 10 bitcoins. After the payment is successful, we will tell the Password.
(If the contact is fast, we will give you a discount.)
In order for you to believe in us, we have prepared the test server. Please contact us and we will tell the test server and decrypt the password.
How to buy and pay for Bitcoin:
Or you can google search "How to buy Bitcoin"
If you know other trading websites better.
We are a professional hacker team, not a virus. We only take directional attacks. We know everything about your company. If you refuse to pay, we will disclose important documents that we have (file, email, contracts and many more).
We are a reputable organization and definitely not a liar. Our business covers more than 20 countries around the world. There are hundreds of companies that have successfully unlocked.'
It is clear that the criminals responsible for the THT Ransomware have large targets in mind, considering the large Bitcoin ransom demanded, equivalent to 60,000 USD approximately. Computer users should not communicate with the criminals or negotiate for the decryption key. Instead, computer users and businesses targeted by the THT Ransomware should have file backups or backup server images to enable them to restore any data that the THT Ransomware has compromised without having to resort to contacting the criminals, who are very unlikely to assist even if the ransom is paid.