Guide to remove Torchwood Ransomware
If you find your important file names in the system appended with .TORCHWOOD extension, then you have fallen in a vicious trap of Torchwood ransomware attack.
Torchwood is a crypto virus that uses strict AES (Advanced encryption Standard) encryption algorithm to encrypt your files & demands a ransom of 15,000 rubles (220 USD) to allegedly restore the encrypted files.
The ransom note is in Russian depicts the origination of this ransomware as Russia. The early activity of this crypto extortionist can be traced back to December 2013- January, February 2014 and has evolved over time.
Apparently, the unprotected RDP (Remote desktop Protocol) configuration and hacking tools can be blamed for Torchwood Ransomware infiltration in the system.
Torchwood Ransomware- Threat Behavior
Once this pernicious system infection seeks entry in your computer, its scan your system and Internet to:
- Track the unprotected configuration of Windows server.
- Reveal documents and services passwords
The gathered information is used to gain access to the servers and networks and initiate the encryption process.
In order to achieve persistent installation i.e. to launch the attack automatically after each system reboot Torchwood Ransomware makes entries in Windows registry. This also enables this ransomware to encrypt newly created files brought into being since its last execution.
Moreover, Torchwood crypto virus is configured to deprive users of all Shadow Volume Copies from Windows Operating system.
Shadow Volume Copies is a technology used in Microsoft Windows that allows user to take automatic and manual copies of computer files.
This renders innocent users helpless as all the prominent ways used to restore OS (Operating system) settings is eliminated.
A note with a demand for redemption is dropped in the system inside a text file named ИНСТРУКЦИЯ_ПО_РАСШИФРОВКЕ_ФАЙЛОВ.txt or just ИНСТРУКЦИЯ.txt translated as INSTRUCTION_PROFILING_FILE.txt or INSTRUCTION respectively.
You should however not agree to pay the ransom under circumstances as it serves no purpose.
- Victims are often ignored once the ransom is paid.
- Agreeing to the terms and conditions of threat actors encourages them to commit other criminal activities in future.
How is Torchwood Ransomware Distributed?
The cybercriminals use various strategies for malware distribution which include –
- Spam Emails – Spamming is the most economic and common method used for the distribution of such malware. The targeted users get genuine looking emails which contain .doc, .txt, and other similar attachments. These attachments can be named as anything which can grab the user’s attention and triggers him/her to open the attachment. As soon as the user opens this attachment, the malware infects the user’s computer system.
- Infected Storage Devices: Your system can also get infected by using removable media such as USB hard drives and jump drives without scanning them with an anti-virus.
List of files that this nasty system infection targets include:
- Text files
- MS office documents
- PDF files
HISTORY of TORCHWOOD Ransomware Attacks
TORCHWOOD in 2013, 2014, 2015 with the extension .TORCHWOOD or .torchwood
TORCHWOOD in 2018 with the extension .trchwd or .TRCHWD
The newly added extension is added a secondary one after the original filename.
If your computer device is infected with this ransomware and your files are locked, read on through to discover methods to potentially restore files back to their normal state.
How to protect the system against TORCHWOOD Ransomware attack?
- Maintaining regular backup copies of your data on External drives, USB stick and virtual cloud machines is always recommended to avoid unforeseen circumstances.
- The most common distribution tactic of TORCHWOOD Ransomware is via Remote Desktop services. To avoid its infiltration in the system it is advised to access a remote desktop via VPN (Virtual Private Networks)to limit the access of remote Desktop to VPN account holders. Also accessing remote desktop via VPN devoid users of direct internet connection. This provides security and management benefits of your system.
- Users should be cautious while opening email attachments. It is a good practice to inspect email specs before opening it.
- Installation of Security software like Hitman Pro and BULL GUARD that implements behavioral detection to combat ransomware is highly recommended.
- Securing systems with strong passwords that are difficult to crack is of utmost importance.
- Keep all the system software up to date to avoid cyber maniacs from exploiting security loopholes.
Targeted Operating System: Windows
Symptoms: User’s files are encrypted. All locked files are appended with “.TORCHWOOD” or “.TRCHWD” extension after the encryption and hence cannot be accessed by the user.
How to remove TORCHWOOD Ransomware from the System?
STEP A – Restore the system Files And Settings Using System Restore.Remove the Services installed by Torchwood ransomware from the system using safe mode with command prompt
Windows 7/ Vista/ XP
- Click on Windows icon present in the lower left corner of the computer screen.
- Select and click Restart.
- When the screen goes blank, keep tapping F8 key until you see the Advanced Boot Options window.
- With the help of arrow keys on keyboard, Select Safe Mode with Command Prompt from the list and press the Enter Key. The system will then restart to Safe Mode with Command Prompt.
- Click on the username and enter the password (if any).
Windows 10 / Windows 8
- Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
- While the Shift key is still pressed click on the Power button and then click on Restart.
- Now select Troubleshoot → Advanced options → Startup Settings.
- When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Command Prompt. The system will then restart to Safe Mode with Command Prompt.
- Click on the username and enter the password.
Once the system starts, ensure to use an account with administrative privilege to access Safe Mode with Command Prompt.
After the user enters admin credentials, Command prompt window is displayed wherein you are entitled to enter the below commands:
- Type the command “sc delete torchwood ransomware” in the command prompt and press Enter.
- Type “exit” to exit the command prompt and restart the system in safe mode with command prompt.
STEP B – Restore the system Files And Settings Using System Restore.
STEP C – Remove Torchwood Ransomware from the system using MSConfig in safe mode with Networking
To restart the system to Safe Mode with Networking, if already switched ON then follow the below steps:
- Type “Msconfig” in search box / Run Box, select it and press Enter.
- Click on “Services” Tab and click on “Hide all Microsoft services”.
- Select Torchwood Ransomware from the list of remaining services and disable it by removing the tick mark from the checkbox and click on Apply button.
- Click on the next tab – “Startup”.
- Find any blank or suspicious entry or the entry with Torchwood Ransomware mentioned and remove the check mark.
- Click on Apply button and then click on OK.
- Click on the next tab – “Startup”.
- Take the mouse cursor to ‘Open task Manager‘ link and click on it. This opens the Task Manager window.
- Find any blank or suspicious entry or the entry with Torchwood Ransomware mentioned and click on it.
- Then click on Disable button.