Torchwood Ransomware

The Torchwood Ransomware is an encryption ransomware Trojan, and one of the oldest ransomware Trojans still active since its release. The Torchwood Ransomware has been around since at least 2013. That was two years before the explosion in popularity of these threats that stemmed from the release of HiddenTear in 2015, an open source ransomware platform that spawned countless variants. The Torchwood Ransomware is designed to target high-profile targets, business networks and servers for websites and data centers particularly. The Torchwood Ransomware is delivered manually to the targeted computer rather than using spam email messages or other common delivery methods. Criminals using the Torchwood Ransomware will often look for computers with weak passwords or poorly protected RDP (Remote Desktop Protocol) connections, which could enable them to install the Torchwood Ransomware on the targeted PC.

How the Torchwood Ransomware Enters a Computer

The Torchwood Ransomware carries out its attack quickly and uses the AES 256 encryption to make the victim's file inaccessible. The Torchwood Ransomware targets a wide variety of the user-generated files, which may include numerous media, document, configuration, database and other files. The file types targeted by threats like the Torchwood Ransomware include:

.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dota.

The Torchwood Ransomware marks the files encrypted in its attack by adding a new extension to the victim's files. The Torchwood Ransomware uses dissimilar file extensions in its attack, which are:

.torchwood
.TORCHWOOD
.TRCHWD

The Torchwood Ransomware's Ransom Demand

The criminals responsible for the Torchwood Ransomware are suspected to be of Russian origin. The Torchwood Ransomware delivers a ransom note written in Russian named 'ИНСТРУКЦИЯ.txt' (INSTRUCTIONS.txt). The Torchwood Ransomware's ransom note contains the following content which, translated from Russian into English, reads:

'Attention!
If you read this message, then you already guessed that there is something wrong with the computer.
We are obliged to inform you about not the most pleasant news:
All your information (documents, databases, backups and other files) on this computer has been encrypted.
All encrypted files have the extension .TORCHWOOD
This encoder is completely crack-resistant, so you can restore files only by having a unique decoder for your PC.
Changing the operating system, installing antivirus software and contacting decryption specialists will only take your time.
Without a decoder this problem will not be solved by any system administrator in the world.
Just in case, we warn:
Do not change files and do not use other decoders, otherwise, you can lose your data forever.
If you still want to try to solve the problem yourself, then do it on a copy so that later there are no claims to us.
To find out how to get the decoder, write us an email to torchwood0000@yandex.com
Please duplicate all your emails to the address - torchwood@66.ru
If we did not respond within 6 hours, please resend the email.
In the letter, enter the number - [user ID] or paste the text from the file INSTRUCTION_PROFILING_FILE.txt
In the reply email, you will receive all instructions.'

Unfortunately, just after the Torchwood Ransomware damages the files, they will be lost permanently without the decryption key. However, computer users shouldn't contact the criminals or follow the instructions in the Torchwood Ransomware ransom note. As with most threats of this type, having file backups is the most secure protection.