How to remove ThunderCrypt virus and restore encrypted files

First, let's determine what happened to the computer. The system was infected with a virus, called ThunderCrypt, which encrypted all the files on your computer (or most of them), and requires redemption for their decryption. Programs of this type are called ransomware, and they are considered the most dangerous viruses that can be picked up on the Web. The main difference between these programs, for the average user, is the design and the amount of ransom. The rest at first glance seems insignificant, but we'll still touch upon all the features of ThunderCrypt and explain how to deal with them.

The basis of the ThunderCrypt virus is an utility that encrypts user files using the RSA 2048 algorithm. This algorithm is one of the most complex in the world, and the data encrypted with it cannot be decrypted. It is used by representatives of the armed forces and the government of the United States and many other countries of the world to encrypt the most important data. In short, hacking this code is not possible. In fact, if ransomware has already penetrated the system, the chances to manage it without losses tend to zero, and you should only hope that any of the teams of malware fighters will take up hacking the virus and receive encryption keys. Otherwise, you will have to pay a ransom, which in this case is 0.345 BTC.


ThunderCrypt ransomware virus


If you are hoping to pay scammers and then return your money, withdrawing the transaction, or calculate the addressee of the money transfer - then you will be disappointed. The fact is that scammers prefer to receive a ransom in a crypto currency called Bitcoin, which cannot be tracked. More precisely, you can track the way money from your wallet to another, but the Bitcoin wallets can be created and deleted in few seconds and do not carry any personal information. As you can see, at the stage of payment of the repurchase, as well as at the time when the virus works on the computer, you cannot do anything. The most effective way to protect yourself against ransomware is to simply not let it into the system.

The stage of infection is the moment when the virus can’t prevent you in any way, and you can prevent it from entering the system. Basically, ransomware uses two methods of penetration: via Trojans and via spam e-mail. To protect the system from Trojans, you should use an antivirus program, and make sure that it is updated to the latest version. Of course, some Trojans can penetrate even the protected system, however in most cases the antivirus will be very useful. The second way can be neutralized only with the help of your care and caution. If you use e-mail for work or communication, then you know what spam is. Dozens of messages come to your e-mail every day, and most of them do not carry any useful information: messages about meaningless promotions, updates and so on. However, among them there are letters in which you receive promises of a bargain or reports on a prize in some contest or lottery. Also very common is spam, disguised as business correspondence. Such letters can look like invoices for some goods, reports on the work done, resumes of the applicant for any vacancy and so on. Fortunately, scammers do not have telepathic abilities, and can’t just guess the names of the people you work with, so letters come from unknown recipients. The normal reaction of any person will be to read the letter and inform the sender that he has mistaken the address. If you do this, the virus will easily get into the system. The average letter from scammers is constructed according to a simple scheme.


  • First comes the part that should interest the user. This can be a message about the receipt of a parcel in your name, notice of a lawsuit or complaint, or any other "business" letter. At the end of the text you will be asked to see the complete information contained in a separate file attached to the letter.
  • The attached file is a virus. It can be either the installation file of the virus itself, which will launch immediately after you click on it, or a script that after a while will start downloading the virus from the hacker's server.


To protect yourself from such an attack, you can take several steps:


  • Firstly, you should not open letters that come from unknown senders, if you do not expect such a message, and even more so if a file is attached to the letter.
  • Secondly, to open any letters you need to use services such as "sandbox", which allow you to open any file in quarantine, where it will not be able to interact with other files on the computer.
  • Thirdly, you should use a separate mail box for work, another one for communication and another one for registration on various sites. This will allow you to be sure that "business" letter can’t come to the "personal" box and vice versa.


Now you know how to protect yourself from the invasion of ransomware. In addition to this, there is another way to neutralize the threat, which does not require you to have special knowledge or additional costs. We mean the creation of a backup of the whole system or at least of the most important files. Creating a backup is an option provided by the basic functionality of Windows, and everyone can handle it. The only requirement for a procedure of this kind is to store the copied data on a separate hard drive, disconnected from the computer. Then, even if the virus penetrates the computer, you can delete it along with the infected files, and then download the undamaged copy. If at the time of infection you did not have a backup copy - then you can only hope for help from outside.

How to remove ThunderCrypt Virus

Regardless of the way you are going to restore the data, you have to remove ThunderCrypt from the computer. Unlike conventional viruses, ThunderCrypt can resist your efforts, so all operations should be performed in a safe mode and using an anti-virus program. All necessary instructions and links to antivirus software are found under this paragraph.


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.

Removal instruction




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

How to restore files encrypted by ThunderCrypt

Unfortunately, at the moment we can not advise you a 100% effective way to recover data affected by ThunderCrypt. However, if you do not want to pay the ransom and intend to try to solve the problem yourself - you should familiarize yourself with alternative ways of data recovery, such as recovery using special programs (Recuva, ShadowExplorer) or shadow copies service.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore




Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience