Thomas the Tank Engine ransomware - a threat or a joke?

If you think you’ve seen everything, think again – Thomas the Tank Engine ransomware is on its way to your computer. It is a recent piece of malware that is a bit different from the rest, both in its appearance and demands. It appears that the beloved tank engine is interested in seeing you naked.

Thomas the Tank Engine ransomware

The ransomware, actually called nRansom by its creators, does not encrypt any files like Locky[1], nor does it threaten to send others your private info like LeakerLocker.

Instead, once it gets the hold of your PC, it simply locks the screen and shows a particular message. In other words, it tries to prevent you from using your computer unless you enter a code.[2] The message background is filled with the pictures of Thomas the Tank Engine swearing at you.

But how do you get the decryption code? Well, you can see for yourself – this is the message a victim gets once the nRansom locks the screen:

“Your computer has been locked. You can only unlock it with the special unlock code. go to and create an account. Send an email to [email protected]. We will not respond [sic] immediatly. After we reply, you must send at least 10 nude pictures of you. After that we will have to verify that the nudes belong to you. Once you are verified, we will give you your unlock code and sell your nudes on the deep web

Got your unlock code and sent your nudes?

Submit your unlock code here.”

As you can see, the hackers demand your nude pictures – more precisely, at least 10 of them. This is very unusual because hackers behind ransomware usually demand a payment in bitcoins or other types of cryptocurrency.[3] Also, it is quite unlikely that someone would be interested in your pictures on the deep web when there is more than enough similar content already.

To make things more awkward, nRansom plays Curb Your Enthusiasm continuously from an mp3 file called “your-mom-gay”.

nRansom ransomware

At first, the unlock code was 12345, but it was changed later. It is actually unknown whether this ransomware is real or simply a joke. However, it is detected as Troj/LockScr-U[4] by Sophos, which means that security tools should detect it as malware.

Unfortunately, it is known that the ransomware now has an updated version. The old email address is changed to a new one – [email protected].[5] The second version goes a bit extreme with its demands – the hackers order the victim to kill 10 people, film it, and send them the video, as well as provide them with 20 naked photos. A bit too much for a computer to be unlocked, isn’t it?

Currently, we don’t know any cases of the infection – there were no reports from users. Hopefully, this is only a prank which won’t evolve into something really dangerous.

To delete the current versions, it is enough to restart your computer in Safe Mode and remove nRansom with your trusted anti-malware program.

About the author
Olivia Morelli
Olivia Morelli - Senior Media writer

Olivia Morelli is a senior media writer on Her favorite topic to write about is ransomware attacks and how to deal with them, but she also enjoys covering the topics of other types of malware and VPNs.

Contact Olivia Morelli
About the company Esolutions

The world’s leading VPN