FANDOM


ThunderCrypt is a ransomware that runs on Microsoft Windows. It is aimed at English-speaking users. On May 14th, 2017, the creators let a Taiwanese man off the hook due to his low income. It is similar to WannaCry.

Payload

Transmission

ThunderCrypt is distributed as an update to Adobe Flash Player in Taiwanese forums. It can also begin to spread through email spam and malicious attachments, fraudulent downloads, exploits, web injects, other fake updates, repackaged and infected installers.

Infection

When the victim is exposed to ThunderCrypt's downloader, the User Account Control will display a message.

ThunderCrypt will continue working in the background, encrypting the victim's files. ThunderCrypt will target the files generated by the user, which may include images, text files, videos, and files generated by programs such as AutoCAD, Microsoft Office, Libre Office, Adobe Photoshop, etc. ThunderCrypt may take several hours to encrypt the entirety of the victim's files, working in the background without alerting the victim of the attack. ThunderCrypt will mark the files compromised in the attack with the file extension .thundercrypt.​​​

ThunderCrypt uses a combination of the AES and RSA encryption to make it impossible to recover the encrypted files without the decryption key. ThunderCrypt will demand the payment of 0.345 BitCoin (approximate $650 USD at the current exchange rate) to get the decryption key. ThunderCrypt takes the victim's files hostage until the ransom is paid. ThunderCrypt displays its ransom demands in a ransom note with the following text:

Good afternoon!
We have encrypted all your personal files! To see the list of encrypted files!
We did this using hybrid RSA-2048 public key encryption. It basically means there is no way to decrypt your 
files without the private key. The private key is stored on our server.
Indeed, we can recover your files. You just have to pay us before the deadline (see the countdown). If you 
don't, the private key will be securely erased from our server and you will lose encrypted files forever.
Transfer required amount (see on the left) to the Bitcoin address below, which was generated just for your 
payment. If you don't know how to use Bitcoin or where to buy Bitcoins, click here. As soon as the 
transaction gets confirmed, the decryption will start automatically. It usually takes about 30 minutes for 
transaction to become confirmed. You will be notified about any progress.
[RANDOM CHARACTERS]
WARNING. Antivirus software may remove this program, but it can't decrypt your files. So, better temporarily 
disable your antivirus, because we can't decrypt your files if this program is damaged. Also, do not modify 
any of the encrypted files, otherwise even we won't be able to recover them.
If you have any questions or if you encounter any problems with payment, feel free to contact us.
Also, we can decrypt one file up to 3 MiB for free as a proof that decryption is possible.
Community content is available under CC-BY-SA unless otherwise noted.