How to remove ThunderX 2.1 Ransomware and decrypt .RANZY, .tx_locked or .lock files

What is ThunderX 2.1 Ransomware

Also known as Ranzy Locker, ThunderX 2.1 is a new ransomware sample that runs thorough data encryption. Depending on which version attacked your system specifically, you may see one of these 3 different extensions assigned to data – .RANZY, .RNZ, .tx_locked, or .lock. To illustrate, an innocent file like 1.pdf will change to 1.pdf.RANZY, 1.pdf.tx_locked, or 1.pdf.lock at the end of encryption. It will also reset its shortcut to blank. Right after this, the virus creates a text note named readme.txt that contains ransom instructions.

Cybercriminals call victims to follow the listed instructions as this is the only option to recover your data. All files have been rendered inaccessible with the help of secure encryption algorithms. To revert these consequences, victims are guided to contact developers through e-mail and buy unique decryption software. While sending a message, it is also required to attach a key string and personal ID from the note. In addition, they offer to send 3 files and receive them decrypted for free. They claim this is a guarantee of their trustworthiness and ability to restore the data. Nobody apart from victims knows how much money extortionists behind ThunderX 2.1 demand. The price is kept secret until people establish communication with cybercriminals. However, most ransoms are pretty high and might reach thousands of US dollars to be paid in cryptocurrency. For this exact reason, trusting extortionists in that regard can be quite risky. There are lots of proven cases when victims did not receive any promised decryption even after paying the ransom. It is important to mention that no third-party tools (apart from those held by cybercriminals) can guarantee 100% decryption of ThunderX data. The only and best option to use at this moment is backup copies. If you had them saved and stored on external and unplugged storage prior to the infection, then recovering data will not be a problem. Otherwise, you can try third-party tools like decryption and recovery programs but bear in mind that they may still be ineffective. This is because ThunderX has no visible flaws and vulnerabilities that could help succeed in decryption. Whatever recovery option you choose, it is important and foremost to delete the ransomware program to prevent further encryption. You will find both removal and restoration instructions in our guide below.

ThunderX Ransomware

Ranzy Locker Ransomware

How ThunderX 2.1 Ransomware infected your computer

Malicious programs like ransomware are often distributed through unprotected RDP configuration, trojans, e-mail spam messages, backdoors, keyloggers, fake updates, and software downloaded from third-party pages, exploits, web-injects, malicious ads, and other types of dangerous channels.

Despite such a variety of spreading techniques, it is worth pointing out a couple of them – those that have been most often abused by cybercriminals. E-mail spam is exactly the one to mention. Malware developers use this method to spread fake letters containing malicious attachments. Files attached to such messages are usually MS Office files like Word or Excel. Because these files operate on the basis of macros, many cybercriminals can change their configuration and spread malicious files disguised as financial reports, invoices, receipts, tracking of parcels, and other fake stuff promoted by them. Sometimes e-mail spam letters will have links instead of attachments. Such links are designed to open download pages asking to install something. Of course, this is a trick meant to fool you into installing a virus. Another popular way of infecting a system is via fake software disguised as original or legitimate. The most abused is Adobe Flash Player which can be advertised on suspicious pages telling your system is outdated or even infected. The same practice may apply to other software like pirated, cracked, and freeware programs. The installation of fake software may barely differ from genuine setups, but infect users with something you will never expect. Furthermore, it has also been popular to hack vulnerable RDP (Remote Desktop Protocol) ports and access your PC in order to install malware. A couple of users reported they got infected this way by ThunderX 2.1/Ranzy Ransomware. Considering such a variety of distribution methods, it would be worth installing advanced anti-malware software that will keep you protected. You can find more information about it in our tutorial below.

1. Download ThunderX 2.1 Ransomware Removal Tool
2. Get decryption tool for .RANZY, .tx_locked or .lock files
3. Recover encrypted files with Stellar Data Recovery Professional
4. Restore encrypted files with Windows Previous Versions
5. Restore files with Shadow Explorer
6. How to protect from threats like ThunderX 2.1 Ransomware

ThunderX 2.1 Ransomware files:


readme.txt
{randomname}.exe


ThunderX 2.1 Ransomware registry keys:

no information

How to decrypt and restore .RANZY, .tx_locked or .lock files

Use automated decryptors

Download Kaspersky RakhniDecryptor

Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .RANZY, .tx_locked or .lock files. Download it here:

There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

Dr.Web Rescue Pack

Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .RANZY, .tx_locked or .lock files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.

If you are infected with ThunderX 2.1 Ransomware and removed from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:

Use Stellar Data Recovery Professional to restore .RANZY, .tx_locked or .lock files

1. Download Stellar Data Recovery Professional.
2. Click Recover Data button.
3. Select type of files you want to restore and click Next button.
4. Choose location where you would like to restore files from and click Scan button.
5. Preview found files, choose ones you will restore and click Recover.

Using Windows Previous Versions option:

1. Right-click on infected file and choose Properties.
2. Select Previous Versions tab.
3. Choose particular version of the file and click Copy.
4. To restore the selected file and replace the existing one, click on the Restore button.
5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

1. Download Shadow Explorer program.
2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
3. Select the drive and date that you want to restore from.
4. Right-click on a folder name and select Export.
5. In case there are no other dates in the list, choose alternative method.

If you are using Dropbox:

1. Login to the DropBox website and go to the folder that contains encrypted files.
2. Right-click on the encrypted file and select Previous Versions.
3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses, like ThunderX 2.1 Ransomware, in future

1. Get special anti-ransomware software

Use ZoneAlarm Anti-Ransomware

ZoneAlarm Anti-Ransomware Dashboard

ZoneAlarm Anti-Ransomware Alert

ZoneAlarm Anti-Ransomware Blocked

Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.

2. Back up your files

As an additional way to save your files, we recommend online backup. Local storage, such as hard drives, SSDs, flash drives, or remote network storage can be instantly infected by the virus once plugged in or connected to. ThunderX 2.1 Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.

3. Do not open spam e-mails and protect your mailbox

Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.