Thundersoft Decryptor May 2026

Run vssadmin list shadows in Command Prompt. If the ransomware did not delete Volume Shadow Copies (some newer variants do), you can restore previous versions of files using shadowexplorer from NirSoft.

In the first half of 2025, cybersecurity firms observed an uptick in infections attributed to a new ransomware variant colloquially named "Thundersoft." Unlike its predecessors, Thundersoft targeted industrial control system (ICS) engineering workstations, specifically those running Siemens TIA Portal and Rockwell Studio 5000. The ransomware appended the extension .thunder to encrypted files. In response, a collective of reverse engineers released an unofficial tool: the Thundersoft Decryptor. Thundersoft Decryptor

This paper provides a structured technical review of the threat landscape that necessitated the decryptor, the cryptographic flaws it exploits, its implementation, and the broader implications for enterprise defense. Run vssadmin list shadows in Command Prompt

Analysis of the binary (SHA-256: a4f3c8...) revealed: The ransomware appended the extension

Thundersoft ransomware was first identified in the wild in early 2023. It targets primarily small-to-medium enterprises (SMEs) and relies on a combination of AES-256 for file encryption and RSA-2048 for key protection. While the encryption implementation is standard, a critical flaw in the key generation entropy and temporary file handling allowed security researchers to reverse-engineer the decryption process.

The Thundersoft Decryptor serves as a critical incident response tool, allowing victims to restore compromised data immediately, mitigating operational downtime and financial loss.