ThunderCrypt Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 80 % (High) |
| Infected Computers: | 592 |
| First Seen: | May 11, 2017 |
| Last Seen: | April 21, 2022 |
| OS(es) Affected: | Windows |
The ThunderCrypt Ransomware is a ransomware Trojan that is used to infect computers in an attempt to extort computer users. The ThunderCrypt Ransomware was first observed in May 2017, and it seems to be a standalone infection rather than part of a larger family. PC security researchers suspect that the ThunderCrypt Ransomware is being delivered using corrupted spam email attachments that abuse vulnerabilities in macros to execute a corrupted code on the victim's computer. The ThunderCrypt Ransomware also has been observed to be delivered as a bogus update for Adobe Flash Player, a common tactic that has been seen in numerous threat variants over the years.
How the ThunderCrypt Ransomware Carries out Its Attack
When the victim is exposed to the ThunderCrypt Ransomware's downloader, the User Account Control will display the following message:
'User Account Control
Do you want to allow this app from an
unknown publisher to make changes to
your device?
install_flash_player_ax.exe
Publisher Unknown
File origin: Hard drive on this computer'
Clicking on OK will allow a window named 'Adobe Flash Player 25.0 Installer' to pop up, progress bar and all. After a few moments, the following error message will be displayed:
'Adobe Flash Player 25.0 Installer
The installation encountered errors:
Your Microsoft Internet Explorer browser includes the latest of the Adobe Flash Player
built-in Windows Update will inform you when new of the Flash Player
are available'
The ThunderCrypt Ransomware will continue working in the background, encrypting the victim's files. The ThunderCrypt Ransomware will target the files generated by the user, which may include images, text files, videos, and files generated by programs such as AutoCAD, Microsoft Office, Libre Office, Adobe Photoshop, etc. The ThunderCrypt Ransomware may take several hours to encrypt the entirety of the victim's files, working in the background without alerting the victim of the attack. The ThunderCrypt Ransomware will mark the files compromised in the attack with the file extension '.thundercrypt.'
How the ThunderCrypt Ransomware may be Used to Generate Profit at the Expense of the Victim
The ThunderCrypt Ransomware uses a combination of the AES and RSA encryption to make it impossible to recover the encrypted files without the decryption key. The ThunderCrypt Ransomware will demand the payment of 0.345 BitCoin (approximate $650 USD at the current exchange rate) to get the decryption key. The ThunderCrypt Ransomware takes the victim's files hostage until the ransom is paid. The ThunderCrypt Ransomware displays its ransom demands in a ransom note with the following text:
'Good afternoon!
We have encrypted all your personal files! To see the list of encrypted files!
We did this using hybrid RSA-2048 public key encryption. It basically means there is no way to decrypt your files without the private key. The private key is stored on our server.
Indeed, we can recover your files. You just have to pay us before the deadline (see the countdown). If you don't, the private key will be securely erased from our server and you will lose encrypted files forever.
Transfer required amount (see on the left) to the Bitcoin address below, which was generated just for your payment. If you don't know how to use Bitcoin or where to buy Bitcoins, click here. As soon as the transaction gets confirmed, the decryption will start automatically. It usually takes about 30 minutes for transaction to become confirmed. You will be notified about any progress.
[RANDOM CHARACTERS]
WARNING. Antivirus software may remove this program, but it can't decrypt your files. So, better temporarily disable your antivirus, because we can't decrypt your files if this program is damaged. Also, do not modify any of the encrypted files, otherwise even we won't be able to recover them.
If you have any questions or if you encounter any problems with payment, feel free to contact us.
Also, we can decrypt one file up to 3 MiB for free as a proof that decryption is possible.'
PC security researchers advise computer users to refrain from paying the ThunderCrypt Ransomware ransom. This allows fraudsters to continue creating these threats. Furthermore, there is little guarantee that these people will keep their promise and help the victim restore the affected files.
