Decrypt TorrentLocker and Restore TorrentLocker Encrypted Files

4
1031

This page aims to help users infected by TorrentLocker ransomware. Use the guide below to decrypt TorrentLocker files and to restore the original files

This is another trojan-ransomware infection that can cause a great many problems for the user, so it’s necessary to detect TorrentLocker at the earliest opportunity to limit damage. The malware enters the system most usually by the user opening a counterfeit e-mail that admits the trojan. In this case, these are purporting to be communications from a government or financial institution and are skillfully constructed. These either have an attachment or link that users are cunningly persuaded to click on for some important or rewarding legal/financial reason or benefit.

In the U.S, currently the delivery e-mail is a fake shipping notification with a ZIP file attachment. Australia was the first focus of these hackers, though now the U.K has the highest estimated infections at 33% according to Trend Micros. The social engineering and attention to visual presentation employed by the hackers is becoming increasingly efficient and more difficult to discern from legitimate correspondence.

Once inside, the ransomware gets setup in Windows files and drivers then proceeds first to contact its command and control server (C&C), then to encrypt user files, giving them a new extension: ‘.encrypted’. When this is done, a demand for payment in return for the encryption key is issued. To prove the key exists (it will be stored on the TorrentLocker server), the user is given one decrypted file. This version is relatively new though it seems to have stolen/borrowed certain elements from earlier malware threats, CryptoWall and CryptoLocker. Though its coding is different to these two, researchers suspect that these all originate from the same creators (the Gameover Zeus hackers).

decrypt torrentlocker

It was first detected in its present form in February 2014 and since then five major launches of the program have been noted. The current version is the fourth variant and there is no decryption available at present, whereas the preceding three versions have been cracked using the RannohDecryptor software that exploits a flaw in the code. As a new development for ransomware, TorrentLocker has the ability to find and record e-mail contacts which are sent home presumably to use as a ‘mailing list by the hackers. To stop TorrentLocker from entering a system is much easier than dealing with it afterwards.

The current versions of the ransomware demand payment in Bitcoin via payment ‘sites hosted in the Tor network. Interestingly, these demands are geographically tailored and the demands are posted giving the current Bitcoin-local currency exchange rate for the victim’s location. Another noteworthy statistic is that the hackers seem to be targeting small to medium sized businesses (SMB) with this variant, and these accounted for 42% of infections in the first half of 2015. Recognizing and eradicating TorrentLocker infections early can limit the encryption process and greatly improve chances of recovering data (like most ransomware, the program attempts to delete shadow copies).

How to detect and deal with TorrentLocker

As with most malware, this ransomware employs evasive characteristics that may avoid detection by routine system scans and all but the best anti-malware programs. There are some noticeable indications for the user to be on the lookout for though, such as a dramatic slowing of the system due to excessive CPU usage; the visual display freezing momentarily; an unusual amount of traffic activity at ports (and unprompted internet connections being established); an increase in pop-ups and spam. If any of these are noted, disconnect from all internet and network connections (including wireless) and check personal files for any change of extensions.

If files have been encrypted, follow the instructions below to delete TorrentLocker, though first back-up all unchanged personal files to an external device. If there are back-ups available (these should be made regularly and stored externally on a device or cloud storage), then one option is to reformat the disc and re-install everything. If the option chosen is to remove TorrentLocker with the system in place, after ensuring that ALL extensions of the infection are removed, attempt to recover any corrupted files. This can possibly be done in Windows Previous Versions – or if unsuccessful – Shadow Volume Copies can be searched using Shadow Explorer (this is included in some service packs, or available from windows.microsoft.com, as are instructions about Previous Versions). The data available to be recovered will depend on time the malware has had to operate before it was disrupted.

How to Decrypt TorrentLocker Files

In order to use TorrentLocker decryption tool, you must have a pair of both encrypted and original (un-encrypted) files. To decrypt TorrentLocker, please follow the steps below:

Step 1: Download the free TorrentLocker decryption utility from here: http://www.filedropper.com/torrentunlocker
Step 2: Double-click on TorrentUnlocker.exe
torrentlocker unlocker 1
Step 3: Click ‘Encrypted file‘ and choose the encrypted file
Step 4. Click ‘Original file‘ and choose the original file. Click ‘Next
torrent locker unlocker 2
Step 5. You must perform a test decryption to prove that the unlocker works with your files. Please, click ‘Encrypted file’ and select an encrypted file. Then click ‘Decrypt File’ to decypher the selected file. Lastly, click ‘Check file’. If the generated file is successfully decrypted, please proceed to Step 6.
torrentlocker unlocker 3
Step 6. Click the browse button to select the folder with encrypted files.
Step 7. Click ‘Start‘ button. Please, be patient since this process can take long, depending on the size and number of files you are decrypting.

How to prevent TorrentLocker

Always remember that infections of these kinds can be avoided, though efficient security software is insurance against mistakes. The manual things to remember are to regularly back up files and to keep doors closed to ransomware by scrutinizing what is allowed to enter the system. First, install an effective Firewall and block I2P and Tor ‘sites; set this up to restrict port use (if the trojan does get in by some way, it will be disabled if it cannot communicate with the C&C). Make sure that the operating system has any security patches available to minimize exploitation. The practice with unsolicited e-mails is common sense, though also disable ActiveX feature in Microsoft Office apps such as Word and Excel, &c to prevent any accidental installation. Find out about Administrator Privilege settings on the Microsoft website about how to block .exe files running on paths %APPDATA% and %TEMP% (this is where most ransomware and some malware run).

With a little though and some setting up, then with good browsing and installation techniques, it’s possible to avoid these parasitic people and their infection.

SHARE
Daniel Stoyanov
Daniel Stoyanov has a Master's degree in Computer Science from the Technical University of Sofia, Bulgaria. He is also a Microsoft Certified Professional. Daniel provides top cyber security news with in-depth coverage of malware, vulnerabilities, PC and Network security, online safety.If you have any questions feel free to ask him right now.

4 COMMENTS

LEAVE A REPLY

Time limit is exhausted. Please reload CAPTCHA.