Severity scale:  
  (99/100)

TorrentLocker virus. How to remove? (Uninstall guide)

removal by Ugnius Kiguolis - -   Also known as TorrentLocker ransomware | Type: Ransomware
12

Latest information about TorrentLocker virus:

TorrentLocker ransomware virus has been spotted on the September 2014 and has been updated several times since then. The virus code has been cracked on 2015 and victims could decrypt their files. However, the virus has been updated on 2016 again, and the recent version is still undecryptable. According to the malware researchers, the virus is a clone of infamous CryptoLocker [1]. The threat insidiously sneaks into a device, locates personal files and encodes them using a mathematically complex algorithm, RSA-2048 [2]. What is more, it has been revealed that the virus has been employing a new technique to broaden its infection scale. TorrentLocker virus has been mostly aimed at Australian computer users. However, later it shifted its attention towards Swedish users. For the distribution and infiltration, the cyber criminals use the name of a trusted telecommunication company, Telia, which has a wide range of customers in Europe and Asia, to convince users into entering specific web page [3]. The ransomware gets compressed into the explorer.exe file. Thus, locating the file on the system might become a tricky task. If you have become one of the victims, get acquainted with TorrentLocker removal possibilities. For that purpose, Reimage is a useful tool.

The malware encrypts victim’s files (photos, videos, audio files) and, then, displays a message requiring people to pay a ransom for retrieving them. The virus leaves DECRYPT_INSTRUCTIONS.html file which contains the message instructing to proceed with the payment. It alarms users into paying the ransom within the specified amount of time. Such technique of using psychological terror is common among hackers. Otherwise, the data will be lost. In the note, the victim is demanded to enter a certain Australian Bitcoin website and purchase bitcoins from it. The ransom equals to 550 USD and should be sent to the indicated address. We discourage you from making the transaction because it does not guarantee the retrieval of the locked data. Therefore, it’s better to remove TorrentLocker from the computer than pay the ransom to the cyber criminals.

Regarding the TorrentLocker decrypt probabilities, IT experts have managed to come up with several decoding techniques. They have been trying to catch up with hackers by working out possible decoding strategies. In 2015, TorrentLocker decryption tool was created. Nonetheless, cyber criminals seem to be one step ahead. Torrent Locker employs Tor network as an additional backup channel for Command & Control server [4]. Due to the fact, that this virus is continually improved, there is no decryption key for the current version of the ransomware yet. Recently, the new version of the malware has emerged. It appends 6-alphabetic character file extension to the encoded files. All the demands are presented in How_to_Restore_Files.html and How_to_Restore_Files.txt. Specialists named it Crypt0l0cker ransomware. Luckily, there might be hope. TorrentLocker cannot start encrypting files if it does not connect to its command server. Thus, it may create a chance for IT professionals to come up with the solution faster. If you are already infected, you should remove TorrentLocker instantly. Rely on a reputable antivirus software.

Update March 2017: Increased activity of an improved TorrentLocker version spreads panic in Denmark 

Update March 2017: Increased activity of an improved TorrentLocker version spreads panic in Denmark
TorrentLocker is growing ever more dangerous as it now seems to be targeting specific countries [5]. In the five last days of February 2017, Denmark has been under siege by a malicious spam campaign that distributes TorrentLocker around. Apart from picking a target country the virus creators have also added some new adjustments to the program itself. One of these additions includes ransomware’s ability to spread from one computer to another via shared files. This is obviously an attempt to increase the volume of the infected computers and, naturally, ensure a greater profit. The hackers have also equipped the malicious program with phishing functionalities, enabling it to steal passwords and usernames that it manages to extract from the infected computer. So, it is possible that ransomware attack may end up in identity theft and other privacy infringements, let alone encrypted files.

If you live in Denmark, you should be especially careful when opening emails you receive in your inbox. Nevertheless, the users in other parts of the world should not let down they guard either. You can never know who’s next on the ransomware’s target list. If you open an email that asks you to “Enable Editing” or “Enable Macros” don’t do it. TorrentLocker needs you to enable macro settings to activate the malicious code and start the encryption of your files. Delete the file immediately, disconnect your computer from the network and scan your system with an antivirus tool.

Methods of distribution

Just like the majority of ransomware, the Torrent Locker virus is distributed through spam emails. As we already mentioned, the victims receive perfectly localized emails which seem like to be sent from Telia. The subject of the email is entitled as “Invoice from Telia” including the name of the recipient. Thus, it contains a single link which redirects to the website which looks like an official website of the mentioned Tele company. Thus, when users get to the website, it asks him or her to type the provided Captcha code to identify whether the user is not a robot. Without suspecting anything wrong, you enter the code, and TorrentLocker malware is downloaded to the computer. Note that the ransomware gets downloaded, after indicating that the victim is from Sweden. After that, the victim is connected to manybigtoys.com server which registers the infected PC. Thus, it is likely that the data might be used for future infiltrations.

In order to protect your PC, avoid opening emails, even if they are seemingly sent from tax or telecommunication companies. Concerning the spam email of Telia, the official website will not require you to enter any code upon entering the website. Though the first versions targeted mainly Swedish users, the malware impersonates such companies as British Gas (Uk), Endesa (Spain), New Zealand Post (NZ, etc. [6]. Moreover, you should always look for typos or grammar mistakes, check the sender’s mail and compare it to the company’s email. If it looks suspicious, you should always contact the company directly. Lastly, some versions might be dispersed with the help of exploit kits, so improve your security by updating anti-spyware and anti-virus programs.

How to remove TorrentLocker ransomware from the system entirely?

If TorrentLocker virus has infected a computer, start a system scan using the anti-spyware program (Reimage or Malwarebytes Anti Malware). Keep in mind that you need to have the newest version in order for the software to root out the virus completely. You should know that the security application does not decrypt the locked files. Thus, you need to look for other programs which will help you recover the files. The easiest and most secure way to do that is to restore the data from the back-up. If you struggle with TorrentLocker removal because you can’t run the security programs, then, take a look at the instructions below.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove TorrentLocker virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall TorrentLocker virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual TorrentLocker virus Removal Guide:

Remove TorrentLocker using Safe Mode with Networking

Malware can prevent you from installing antivirus or anti-malware software. In this case, you have to reboot your PC to the Safe Mode in order to perform automatic TorrentLocker removal

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove TorrentLocker

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete TorrentLocker removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove TorrentLocker using System Restore

If Safe Mode did not work, please try System Restore method by following these steps:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of TorrentLocker. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that TorrentLocker removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove TorrentLocker from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by TorrentLocker, you can use several methods to restore them:

Does Data Recovery Pro tool help to restore files encrypted by TorrentLocker ransomware?

Data Recovery Pro tools comes in handy tracking missing and damaged files. The software is also capable of restoring encrypted files. We cannot assure that all files will be rescued; however, you should give it a try:

The benefits of ShadowExplorer when restoring files encrypted by TorrentLocker ransomware

The main advantage of this program is that it retrieves volume shadow copies on Windows OS. These copies are created by the system automatically. In case of a system trash or ransomware assault, the program helps recreate the files by using the patterns of these copies.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

TorrentLocker ransomware decryption software hasn’t been released yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from TorrentLocker and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions

References

Removal guides in other languages


  • Britanny Joy

    This virus is really scary, I had my files locked by it before. Never got them back 🙁

  • Loraine44

    Ransowmare is the WORST!

  • Keneth7

    Does antivirus detect viruses like these while browsing?

    • BoolasP.

      I guess it does, but Id be more careful while browsing and downloading any suspicious files myself