Nuspire’s SAT Discovers Thor, New Variant of Locky

Thor Spam Campaign Email 2

UPDATE (10/27/2016):

Two days after the initial release of Thor, Security Analytics Team members at Nuspire Networks have already noticed a change in the email subject line. This new spam campaign started over the night of October 26, 2016, and the subject line consists of 'E-TICKET 24519'.

“The string of numbers is random in order to look more legitimate, but otherwise this is the same delivery method as previously stated,” said SAT member Shawn Pope.

He also said that the SAT team was able to extract the malicious domains associated with this and immediately added this new development to Nuspire’s threat intelligence database.

Thor spam campaign email

Security Analytics Team (SAT) members at Nuspire Networks have discovered a large scale spam campaign in their nuMAIL service that has led to the finding of “Thor.” This variant has been added to the list of Locky strains along with Bart, Odin, Zepto, and Perl.

This campaign began on October 24, 2016, and carries two different subject lines:

Budget Forecast



The files are in a .ZIP attachment that can be delivered as malicious JavaScript or Windows Script Files.

encrypted thor fileOnce the initial malware has been executed, it connects to a malicious domain, which then installs the Thor payload and the encryption process begins. Once encryption is completed, the .thor file extension is appended to all affected files, and the ransom screen is presented along with an HTML file named ‘WHAT_is.’

The ransom is currently at 0.54 Bitcoin, which is the equivalent of about $350.

“As always, we never recommend paying the ransom, and a backup solution for these types of events is ideal,” said Pope.

For more information on how to avoid this and other types of cybersecurity risks, click here.

Nuspire Insights

Nuspire Infographic

Contact Us


Nuspire Infographic

Contact Us