Torchwood ransomware (Virus Removal Instructions) - Decryption Steps Included

Torchwood virus Removal Guide

What is Torchwood ransomware?

Torchwood ransomware – an old file-encrypting virus which has been active since 2013

Torchwood ransomwareTorchwood ransomware - a dangerous file-encrypting virus which uses a unique encryption algorithm to lock up valuable documents.

Torchwood ransomware is one of the oldest file-encrypting cyber threats which started its activity in 2013. This dangerous virus manages to infect computer systems which are not protected appropriately. Additionally, cybercrooks modify various system settings manually, and, when the process is completed, the Torchwood virus drops its hazardous payload and starts the encryption. Files are locked with the .TRCHWD, .torchwood, or .TORCHWOOD extensions by using an AES cipher[1]. After that, crooks display a ransom note which urges victims to show contact via torchwood0000@yandex.com email address and pay the demanded ransom to receive a decryption code for blocked documents.

Name Torchwood
Type Ransomware
Active since 2013
Extensions TRCHWD, .TORCHWOOD, .torchwood
Email torchwood0000@yandex.com
Dangers Encrypts important documents, might make the system more vulnerable for other infections
Cipher used AES
Elimination Install FortectIntego

Torchwood ransomware encrypts files such as:

  • Audio;
  • Video;
  • Image;
  • PDFs;
  • Databases;
  • Spreadsheets;
  • etc.

Once such data is locked, users are not able to access it as Torchwood ransomware changes its structure by using a unique code. Both decryption and encryption keys are stored on external servers and kept out of reach for anyone except the criminals themselves. Without having decryption keys, the recovery process is almost impossible to even for highly-experienced IT specialists.

However, we do not recommend contacting the crooks or paying the demanded price. No matter it might seem like the easiest way to get your files back, malware researchers[2] have warned victims that they can be left scammed and face financial losses. If you happen to spot encrypted files with the beforementioned appendixes, you need to remove Torchwood virus from your computer system at first. For such purpose, we advise installing anti-malware help such as FortectIntego or any other trustworthy computer fixing program.

Dealing with ransomware threats is never a good idea as some ransomware-type viruses[3] can also decrease system protection or even disable the antivirus program. Beware that such processes can increase the risk of various computer infections. If you want to avoid such damaging consequences, you need to perform the Torchwood ransomware removal as soon as you spot the first symptoms.

Taking into account the ransom fee, note that it can differ each time for every victim. However, it is known that cybercrooks are very likely to use cryptocurrency, e.g., Bitcoin, Monero, Dash.

Here is the extraction for the Torchwood virus ransom message:

Attention!
If you read this message, then you already guessed that there is something wrong with the computer.
We are obliged to inform you about not the most pleasant news:
All your information (documents, databases, backups and other files) on this computer has been encrypted.
All encrypted files have the extension .TORCHWOOD
This encoder is completely crack-resistant, so you can restore files only by having a unique decoder for your PC.
Changing the operating system, installing antivirus software and contacting decryption specialists will only take your time.
Without a decoder this problem will not be solved by any system administrator in the world.
Just in case, we warn:
Do not change files and do not use other decoders, otherwise, you can lose your data forever.
If you still want to try to solve the problem yourself, then do it on a copy so that later there are no claims to us.

To find out how to get the decoder, write us an email to torchwood0000@yandex.com
Please duplicate all your emails to the address – torchwood@66.ru
If we did not respond within 6 hours, please resend the email.

In the letter, enter the number – [user ID] or paste the text from the file INSTRUCTION_PROFILING_FILE.txt
In the reply email, you will receive all instructions.'

Torchwood virusTorchwood virus - ransomware which has been spreading around since 2013. The virus attacks its victims through phishing messages that cybercriminals send straightly to their emails.

Ransomware distributes through phishing emails

If you have a ransomware infection in your computer, there is a big chance that it might have come from a spam email that you have opened recently and managed to launch an attachment that was clipped to it. You need to be careful with such phishing messages as they might come legitimate-looking. However, if you ever receive spam and you are not expecting anything important at the moment, get rid of all questionable emails permanently.

Additionally, we advise increasing your computer system protection automatically. What you need to do is download and install antivirus protection on your PC. Make sure you chose an expert-tested and trustworthy program to achieve best results. Once you install the antivirus, check it regularly and ensure that all required updates are performed from time to time. If taken care of properly, this security tool will let you avoid various dangerous malware infections that can enter computer systems unnoticed.

Get rid of Torchwood ransomware

If you want to remove Torchwood ransomware from your affected computer system, you need to make sure that you pick the right elimination tool for this purpose. We suggest using FortectIntego, SpyHunter 5Combo Cleaner, or Malwarebytes. However, you can feel free to use any tools that you have on your computer as long as they function properly and are tested by IT experts.

There is no possibility to perform the Torchwood ransomware removal manually if you do not have enough experience in such a sphere. Better chose to do it with the help of a trustworthy tool, the process will be completed safely and will not require much of the user's effort. Once its done, make sure you carry out some system backups to check if all virus-related components have been removed successfully.

Offer
do it now!
Download
Fortect Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Torchwood virus. Follow these steps

Manual removal using Safe Mode

Reboot your PC to Safe Mode with Networking by performing this guide:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Torchwood using System Restore

Activate the System Restore function to disable the virus. These guiding steps might be helpful for such case:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Torchwood. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Torchwood removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Torchwood from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If you have spotted files with the .TRCHWD extension, you can be sure that your computer system is affected by Torchwood ransomware. If you are thinking, how to get corrupted data back, you can use some of the following methods. Follow the given instructions and complete each step carefully to achieve the best results.

If your files are encrypted by Torchwood, you can use several methods to restore them:

Try Data Recovery Pro and restore various corrupted files:

If you perform each step as required, this method might help you restore various documents that were corrupted by the ransomware-type virus or destroyed in other ways.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Torchwood ransomware;
  • Restore them.

Use the Windows Previous Versions method for data recovery:

Read the instructions and perform the given steps. However, you need to know that such technology will work only if you had enabled the System Restore feature before the ransomware infection managed to affect your computer system and files.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use Shadow Explorer to get important documents back:

Notice that this method will work only if Torchwood ransomware did not permanently delete Shadow Volume Copies of corrupted files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Sadly, malware experts have not discovered the official Torchwood virus decryptor yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Torchwood and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.

 

Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References