Severity scale:  
  (98/100)

Torchwood ransomware. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware

Torchwood ransomware – an old file-encrypting virus which has been active since 2013

Torchwood ransomware
Torchwood ransomware - a dangerous file-encrypting virus which uses a unique encryption algorithm to lock up valuable documents.

Torchwood ransomware is one of the oldest file-encrypting cyber threats which started its activity in 2013. This dangerous virus manages to infect computer systems which are not protected appropriately. Additionally, cybercrooks modify various system settings manually, and, when the process is completed, the Torchwood virus drops its hazardous payload and starts the encryption. Files are locked with the .TRCHWD, .torchwood, or .TORCHWOOD extensions by using an AES cipher[1]. After that, crooks display a ransom note which urges victims to show contact via torchwood0000@yandex.com email address and pay the demanded ransom to receive a decryption code for blocked documents.

Name  Torchwood
Type Ransomware
Active since 2013
Extensions TRCHWD, .TORCHWOOD, .torchwood
Email torchwood0000@yandex.com
Dangers Encrypts important documents, might make the system more vulnerable for other infections
Cipher used AES
Elimination Install Reimage

Torchwood ransomware encrypts files such as:

  • Audio;
  • Video;
  • Image;
  • PDFs;
  • Databases;
  • Spreadsheets;
  • etc.

Once such data is locked, users are not able to access it as Torchwood ransomware changes its structure by using a unique code. Both decryption and encryption keys are stored on external servers and kept out of reach for anyone except the criminals themselves. Without having decryption keys, the recovery process is almost impossible to even for highly-experienced IT specialists.

However, we do not recommend contacting the crooks or paying the demanded price. No matter it might seem like the easiest way to get your files back, malware researchers[2] have warned victims that they can be left scammed and face financial losses. If you happen to spot encrypted files with the beforementioned appendixes, you need to remove Torchwood virus from your computer system at first. For such purpose, we advise installing anti-malware help such as Reimage or any other trustworthy computer fixing program.

Dealing with ransomware threats is never a good idea as some ransomware-type viruses[3] can also decrease system protection or even disable the antivirus program. Beware that such processes can increase the risk of various computer infections. If you want to avoid such damaging consequences, you need to perform the Torchwood ransomware removal as soon as you spot the first symptoms.

Taking into account the ransom fee, note that it can differ each time for every victim. However, it is known that cybercrooks are very likely to use cryptocurrency, e.g., Bitcoin, Monero, Dash. 

Here is the extraction for the Torchwood virus ransom message:

Attention!
If you read this message, then you already guessed that there is something wrong with the computer.
We are obliged to inform you about not the most pleasant news:
All your information (documents, databases, backups and other files) on this computer has been encrypted.
All encrypted files have the extension .TORCHWOOD
This encoder is completely crack-resistant, so you can restore files only by having a unique decoder for your PC.
Changing the operating system, installing antivirus software and contacting decryption specialists will only take your time.
Without a decoder this problem will not be solved by any system administrator in the world.
Just in case, we warn:
Do not change files and do not use other decoders, otherwise, you can lose your data forever.
If you still want to try to solve the problem yourself, then do it on a copy so that later there are no claims to us.

To find out how to get the decoder, write us an email to torchwood0000@yandex.com
Please duplicate all your emails to the address – torchwood@66.ru
If we did not respond within 6 hours, please resend the email.

In the letter, enter the number – [user ID] or paste the text from the file INSTRUCTION_PROFILING_FILE.txt
In the reply email, you will receive all instructions.'

Ransomware distributes through phishing emails

If you have a ransomware infection in your computer, there is a big chance that it might have come from a spam email that you have opened recently and managed to launch an attachment that was clipped to it. You need to be careful with such phishing messages as they might come legitimate-looking. However, if you ever receive spam and you are not expecting anything important at the moment, get rid of all questionable emails permanently.

Additionally, we advise increasing your computer system protection automatically. What you need to do is download and install antivirus protection on your PC. Make sure you chose an expert-tested and trustworthy program to achieve best results. Once you install the antivirus, check it regularly and ensure that all required updates are performed from time to time. If taken care of properly, this security tool will let you avoid various dangerous malware infections that can enter computer systems unnoticed.

Get rid of Torchwood ransomware

If you want to remove Torchwood ransomware from your affected computer system, you need to make sure that you pick the right elimination tool for this purpose. We suggest using Reimage, Malwarebytes MalwarebytesCombo Cleaner, or Plumbytes Anti-MalwareMalwarebytes Malwarebytes. However, you can feel free to use any tools that you have on your computer as long as they function properly and are tested by IT experts.

There is no possibility to perform the Torchwood ransomware removal manually if you do not have enough experience in such a sphere. Better chose to do it with the help of a trustworthy tool, the process will be completed safely and will not require much of the user's effort. Once its done, make sure you carry out some system backups to check if all virus-related components have been removed successfully.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Torchwood virus, follow these steps:

Remove Torchwood using Safe Mode with Networking

Reboot your PC to Safe Mode with Networking by performing this guide:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Torchwood

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Torchwood removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Torchwood using System Restore

Activate the System Restore function to disable the virus. These guiding steps might be helpful for such case:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Torchwood. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Torchwood removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Torchwood from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If you have spotted files with the .TRCHWD extension, you can be sure that your computer system is affected by Torchwood ransomware. If you are thinking, how to get corrupted data back, you can use some of the following methods. Follow the given instructions and complete each step carefully to achieve the best results.

If your files are encrypted by Torchwood, you can use several methods to restore them:

Try Data Recovery Pro and restore various corrupted files:

If you perform each step as required, this method might help you restore various documents that were corrupted by the ransomware-type virus or destroyed in other ways.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Torchwood ransomware;
  • Restore them.

Use the Windows Previous Versions method for data recovery:

Read the instructions and perform the given steps. However, you need to know that such technology will work only if you had enabled the System Restore feature before the ransomware infection managed to affect your computer system and files.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use Shadow Explorer to get important documents back:

Notice that this method will work only if Torchwood ransomware did not permanently delete Shadow Volume Copies of corrupted files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Sadly, malware experts have not discovered the official Torchwood virus decryptor yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Torchwood and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References