Torchwood ransomware
Ransomware | 08/28/2018

How to remove Torchwood Ransomware?

About: Torchwood ransomware in a malicious crypto virus that has been active in the cyber landscape from 2013. This pernicious system infection uses strict AES (Advanced encryption Standard) encryption algorithm to encrypt your files & demands a rans...  Read More  

| Ransomware | How to remove Torchwood Ransomware?

Guide to remove Torchwood Ransomware

Attention!

If you find your important file names in the system appended with .TORCHWOOD extension, then you have fallen in a vicious trap of Torchwood ransomware attack.Torchwood ransomware 2

Torchwood is a crypto virus that uses strict AES (Advanced encryption Standard) encryption algorithm to encrypt your files & demands a ransom of 15,000 rubles (220 USD) to allegedly restore the encrypted files.

The ransom note is in Russian depicts the origination of this ransomware as Russia. The early activity of this crypto extortionist can be traced back to December 2013- January, February 2014 and has evolved over time.

 

Apparently, the unprotected RDP (Remote desktop Protocol) configuration and hacking tools can be blamed for Torchwood Ransomware infiltration in the system.

Torchwood Ransomware- Threat Behavior

Once this pernicious system infection seeks entry in your computer, its scan your system and Internet to:

  1. Track the unprotected configuration of Windows server.
  2. Reveal documents and services passwords

The gathered information is used to gain access to the servers and networks and initiate the encryption process.

 

In order to achieve persistent installation i.e. to launch the attack automatically after each system reboot Torchwood Ransomware makes entries in Windows registry. This also enables this ransomware to encrypt newly created files brought into being since its last execution.

 

Moreover, Torchwood crypto virus is configured to deprive users of all Shadow Volume Copies from Windows Operating system.

Shadow Volume Copies is a technology used in Microsoft Windows that allows user to take automatic and manual copies of computer files.

This renders innocent users helpless as all the prominent ways used to restore OS (Operating system) settings is eliminated.

 

A note with a demand for redemption is dropped in the system inside a text file named ИНСТРУКЦИЯ_ПО_РАСШИФРОВКЕ_ФАЙЛОВ.txt or just ИНСТРУКЦИЯ.txt translated as INSTRUCTION_PROFILING_FILE.txt or INSTRUCTION respectively.Torchwood ransomware

You should however not agree to pay the ransom under circumstances as it serves no purpose.

  1. Victims are often ignored once the ransom is paid.
  2. Agreeing to the terms and conditions of threat actors encourages them to commit other criminal activities in future.

How is Torchwood Ransomware Distributed?

The cybercriminals use various strategies for malware distribution which include –

  1. Spam Emails – Spamming is the most economic and common method used for the distribution of such malware. The targeted users get genuine looking emails which contain .doc, .txt, and other similar attachments. These attachments can be named as anything which can grab the user’s attention and triggers him/her to open the attachment. As soon as the user opens this attachment, the malware infects the user’s computer system.
  2. Infected Storage Devices: Your system can also get infected by using removable media such as USB hard drives and jump drives without scanning them with an anti-virus.

List of files that this nasty system infection targets include:

  1. Audio
  2. Video
  3. Text files
  4. MS office documents
  5. PDF files
  6. Database
  7. Archives

 

HISTORY of TORCHWOOD Ransomware Attacks

TORCHWOOD in 2013, 2014, 2015 with the extension .TORCHWOOD or .torchwood

TORCHWOOD in 2018 with the extension .trchwd or .TRCHWD

The newly added extension is added a secondary one after the original filename.

If your computer device is infected with this ransomware and your files are locked, read on through to discover methods to potentially restore files back to their normal state.

How to protect the system against TORCHWOOD Ransomware attack?

  1. Maintaining regular backup copies of your data on External drives, USB stick and virtual cloud machines is always recommended to avoid unforeseen circumstances.
  2. The most common distribution tactic of TORCHWOOD Ransomware is via Remote Desktop services. To avoid its infiltration in the system it is advised to access a remote desktop via VPN (Virtual Private Networks)to limit the access of remote Desktop to VPN account holders. Also accessing remote desktop via VPN devoid users of direct internet connection. This provides security and management benefits of your system.
  3. Users should be cautious while opening email attachments. It is a good practice to inspect email specs before opening it.
  4. Installation of Security software like Hitman Pro and BULL GUARD that implements behavioral detection to combat ransomware is highly recommended.
  5. Securing systems with strong passwords that are difficult to crack is of utmost importance.
  6. Keep all the system software up to date to avoid cyber maniacs from exploiting security loopholes.

 

Threat Summary

Name: TORCHWOOD

Targeted Operating System: Windows

Category: Ransomware

Symptoms: User’s files are encrypted. All locked files are appended with “.TORCHWOOD” or “.TRCHWD” extension after the encryption and hence cannot be accessed by the user.

How to remove TORCHWOOD Ransomware from the System?

STEP A – Restore the system Files And Settings Using System Restore.Remove the Services installed by Torchwood ransomware from the system using safe mode with command prompt

Windows 7/ Vista/ XP

  1. Click on Windows icon present in the lower left corner of the computer screen.
  2. Select and click Restart.
  3. When the screen goes blank, keep tapping F8 key until you see the Advanced Boot Options window.
  4. With the help of arrow keys on keyboard, Select Safe Mode with Command Prompt from the list and press the Enter Key. The system will then restart to Safe Mode with Command Prompt.
  5. Click on the username and enter the password (if any).

Windows 10 / Windows 8

  1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
  2. While the Shift key is still pressed click on the Power button and then click on Restart.
  3. Now select Troubleshoot → Advanced options → Startup Settings.
  4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Command Prompt. The system will then restart to Safe Mode with Command Prompt.
  5. Click on the username and enter the password.

Once the system starts, ensure to use an account with administrative privilege to access Safe Mode with Command Prompt.

After the user enters admin credentials, Command prompt window is displayed wherein you are entitled to enter the below commands:

  1. Type the command “sc delete torchwood ransomware” in the command prompt and press Enter.
  2. Type “exit” to exit the command prompt and restart the system in safe mode with command prompt.

STEP B – Restore the system Files And Settings Using System Restore.

Method 1 using Control Panel

  1. Click on the ‘Start’ button on the taskbar. This will open the Start menu.
  2. Click on the ‘Control Panel’ button in the Start menu. This will open the control panel window.
  3. In the Control Panel window, click on the ‘View by:’ button on the top right. Select the Large Icon option
  4. In the control Panel window click on the ‘Recovery Icon’. This will open a window that will ask ‘Restore the computer to an earlier point in time’.
  5. Click on the ‘Open system restore’ button. This will open the ‘system restore ’window where you need to click on the Next Button.
  6.  Select the restore point that is prior the infiltration of Torchwood Ransomware. After doing that, click Next.
  7. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Torchwood Ransomware.

Method 2 using Command Prompt

  1. Type cmd in the search box and click on the command prompt to open the Command Prompt window. box and clicking on it.
  2. Once the Command Prompt window shows up, enter cd restore and click Enter.(Ensure that you in the system32 directory of Windows folder in C Drive)
  3. Now type rstrui and press Enter again.
  4. When a new window shows up, click Next and select your restore point that is prior the infiltration of Torchwood Ransomware. After doing that, click Next.
  5. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Torchwood Ransomware.

Method 3 : Directly type 'rstrui' in the search box

  1. Type ‘Rstrui’ in the search box present on the task bar. This will open the System restore dialog box.

Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.

STEP C – Remove Torchwood Ransomware from the system using MSConfig in safe mode with Networking

To restart the system to Safe Mode with Networking,  if already switched ON then follow the below steps:

Windows 7/ Vista/ XP

  1. Click on Windows icon present in the lower left corner of the computer screen.
  2. Select and click  Restart.
  3. When the screen goes blank, Keep tapping  F8  Key until you see the Advanced Boot Options window.
  4. With the help of arrow keys on keyboard, Select Safe Mode with Networking  option from the list and press the Enter Key. The system will then restart to Safe Mode with Networking.

5 Click on the username and enter the password (if any).

Windows 10 / Windows 8

  1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
  2. While the Shift key is still pressed click on the Power button and then click on Restart.
  3. Now select Troubleshoot → Advanced options → Startup Settings.
  4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Networking. The system will then restart to Safe Mode with Networking.
  5. Click on the username and enter the password.
  1. Type “Msconfig” in search box / Run Box, select it and press Enter.
  2. Click on “Services” Tab and click on “Hide all Microsoft services”.
  3. Select Torchwood Ransomware from the list of remaining services and disable it by removing the tick mark from the checkbox and click on Apply button.

Windows 7

  1. Click on the next tab – “Startup”.
  2. Find any blank or suspicious entry or the entry with Torchwood Ransomware mentioned and remove the check mark.
  3. Click on Apply button and then click on OK.

Windows 10

  1. Click on the next tab – “Startup”.
  2. Take the mouse cursor to ‘Open task Manager‘ link and click on it.  This opens the Task Manager window.
  3. Find any blank or suspicious entry or the entry with Torchwood Ransomware mentioned and click on it.
  4. Then click on Disable button.

 

 

Hits: 120

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Jaipur
Rajasthan 302033
Phone: +91 9799661866