Tornado Ransomware
Posted: February 14, 2018
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Ranking: | 23,190 |
|---|---|
| Threat Level: | 8/10 |
| Infected PCs: | 728 |
| First Seen: | April 10, 2024 |
|---|---|
| Last Seen: | January 21, 2025 |
| OS(es) Affected: | Windows |
The Tornado Ransomware is a Trojan that uses the RSA encryption to lock your files and keep them hostage until you pay its Bitcoin ransom. Victims can expect the symptoms of the Tornado Ransomware infections including the appearance of text-based ransom messages, e-mail addresses and extensions added to their files and being incapable of opening various types of media. Since decryption for free is often impractical, you should have your anti-malware programs disable and delete the Tornado Ransomware whenever possible.
Your Media is Getting Pulled into a Whirlwind
A new version of what may be a variant of well-known threats like the Globe Ransomware, the Crysis Ransomware, or the BTCWare Ransomware family is starting to appear in live distribution, with its attacks including both a secure, data-encrypting routine and an accompanying ransom demand that monetizes the former. The Tornado Ransomware is targeting media in the Windows 'Documents and Settings' folder especially and may block anything from text files to movies.
The Tornado Ransomware runs on Windows platforms and also modifies the system's default boot-up sequence so that it launches automatically, once the PC restarts. Its encryption is RSA-based and also includes the dynamic generation of an ID for the victim's use, which the Trojan inserts into the internal data of every file that it locks. However, for most users, the symptoms malware experts point out as being most visible is the Tornado Ransomware's appending of a '.Tornado' extension and an e-mail address to the names of the blocked content.
The Tornado Ransomware also creates a Notepad file that offers the threat actor's simple demands: contacting them for purchasing a decryptor for their media. This ransom uses Bitcoins, which, victims should note, avoids the legal protections available in more traditional currencies than cryptocurrency. Although the instructions include a casual reference to time pressure, malware experts find no cases of the Tornado Ransomware taking any further actions after this initial encryption, such as the Jigsaw Ransomware's hourly, file-deleting routine.
Weathering the Worst in Data Attacks
The Tornado Ransomware's encryption is, predominantly, damaging local drives. Cloud storage, local network backups, and peripheral devices all offer alternate methods of preserving your media that the Tornado Ransomware can't breach without the assistance of a third-party program or threat actor. The cybercrooks often insist upon Bitcoin and other cryptocurrencies for payments to keep their victims from demanding refunds, particularly, when the decryption solution that they offer is bug-ridden or fake.
Although malware researchers are confirming that all facets of the Tornado Ransomware's payload work as necessary for blocking and ransoming the victim's files, not all aspects of this Trojan's campaign are knowable. The Tornado Ransomware's infection exploits are prospects of theoretical, future analysis, and could include file-sharing networks like torrents, browser-abusing exploit kits, or, especially, e-mail attachments. Have your anti-malware products protect your PC from this threat by keeping them fully-updated and active so that they can delete the Tornado Ransomware on sight.
The Tornado Ransomware is less of a new storm than an old one with a unique name attached to it. For anyone dealing with locked files, this distinction is, however, of little practical benefit for the sake of avoiding losing their savings to ransoms.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.