Torchwood Ransomware

The Torchwood Ransomware is a file-locker Trojan that keeps your media from opening by encrypting each file using AES or other encoding methods, after which, it gives you its ransoming instructions. Paying the ransom isn't the best way of unlocking your files necessarily, and most users with any work of value on a network-accessible PC should keep spare backups on other devices. Update your anti-malware programs and let them analyze incoming downloads for deleting the Torchwood Ransomware as soon as possible.

Ten Years Gone By and a Trojan Returns

File-locker Trojans can be long-lived surprisingly, and, often, extend their lifespans by doing little more than updating the communication info on their ransom notes, or other, aesthetic features. However, even a 'free' Trojan like Hidden Tear would have difficulty competing in longevity against the two-years-older Torchwood Ransomware. This unusually old, file-locking Trojan stopped being seen in circulation for several years until Russia-based AV researchers caught samples of a new variant in 2018.

Earlier variants of the Torchwood Ransomware include annual releases from 2013 to 2015, with a following period of silence until the current release. All changes between the different versions of the Torchwood Ransomware are limited to superficial edits to their Notepad-formatted ransoming messages and the extensions that they add to media (such as 'torchwood,' 'TORCHWOOD' or the new 'TRCHWD'). In keeping with similar, file-locker Trojans, the Torchwood Ransomware also runs the documents, databases, and other files that it attacks through an encryption routine that keeps them from opening in other programs regardless of the filename changes.

Although malware researchers can do no more than estimate whether the new campaign is the work of the same threat actors or others, these criminals are using infection strategies targeting unprotected networks. Brute-force hacks, similar to those in utilization by the Scarab Ransomware family's clients, are breaking non-secure password and login credentials. A remote attacker may, then, enable Remote Desktop features for finalizing his control over the system and install a threat like the Torchwood Ransomware.

Putting Out the Torch that's Kindling on Your Files

The Torchwood Ransomware is a significant security issue for Russian server administrators potentially, for ones using outdated platforms, such as Windows Server 2008 especially. Although the Torchwood Ransomware's encryption attack is equally threatening to PCs running under other language configurations, its ransoming messages always are Russian, and its threat actors are, seemingly, targeting that region to the exclusion of others. Update your server architecture when appropriate and use password strategies that malware analysts would rate as being secure against brute-force attacks sufficiently, such as avoiding factory-default strings.

In spite of its age, the Torchwood Ransomware uses a secure encryption technique, and there is no public decryption service for any of the members of this minor family. The data-locking attacks of file-locker Trojans are more likely than not of attacking pictures, documents, and other media of high-value but low-size for facilitating a quick conversion to encrypted formats. Let your anti-malware programs delete the Torchwood Ransomware automatically, when possible, and use non-local backups for saving your media.

The fact that the Torchwood Ransomware is being revived shows just how little about a Trojan needs to change to make it a possible problem for today's PC users. Even the oldest Trojans can be threatening if its victims continue forgetting to use appropriate logins or back their work up somewhere secure.