Updated: Remove TorrentLocker (Crypt0l0ker) and .Enc Files Manually

First detected in August 2014, TorrentLocker (Crypt0l0ker) has now a new distribution campaign targeting Italian victims. It encrypts files on the victims’ systems and appends extension .enc to them. This ransomware infection was first detected by a security researcher from Emsisoft.

New TorrentLocker (Crypt0l0ker) in Detail

The new distribution campaign of TorrentLocker (Crypt0l0ker) spread a malicious ZIP file called ENEL_BOLLETA.zip in order to get access to the computer. This file contains a JS file called ENEL_BOLLETA.js. Immediately after ENEL_BOLLETA.js is executed TorrentLocker contacts its command and control server (C&C) and downloads another malicious payload in %Temp% folder. The ransomware may drop other malicious files needed for its operations in the following folders:

  • %AppData%
  • %Windows%
  • %Roaming%
  • %SystemDrive%
  • %Local%
  • %User’s Profile%

Furthermore, the currently detected version of TorrentLocker ransomware may create malicious registry values in order to run its malicious payloads every time the Windows OS starts up. It may create its values in the following Windows Registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\ CurrentVersion\RunOnce
HKEY_CURRENT_USER\ Software\Microsoft \Windows\CurrentVersion \RunOnce
HKEY_LOCAL_MACHINE\Software \Microsoft\Windows\ CurrentVersion \Run
HKEY_CURRENT_USER\ Software\Microsoft \Windows\ CurrentVersion\Run

Thus the TorrentLocker’s payload downloaded from its C&C server is automatically executed. Afterward, the encryption process starts. TorrentLocker scans for all file types that are assigned in its configuration, encrypts them using a strong cryptographic algorithm and appends the extension .enc to the encrypted files. TorrentLocker may encrypt most common file types including audio files, video files, Microsoft Office documents, pictures and other image files, web files, Photoshop files. All encrypted files will be rendered useless.

What follows is displaying a ransom note on the computer screen. The file has arbitrarily generated name and provides instructions on how to complete the paying of the ransom. The current version of TorrentLocker demands payment in Bitcoins. We strongly recommend you to shrink from accessing the TorrentLocker payment site and paying the ransom. The creators may have injected other threats on their website.

Distribution Tactics of TorrentLocker (Crypt0l0ker)

It seems that the latest distribution campaign of TorrentLocker (Crypt0l0ker) targets Italian users. There are detections of spam emails that pretend to be from Italian energy company Enel. The file ENEL_BOLLETA.zip is attached to the email. According to the text in the email, this file contains information on the user’s bills. At present, there is no information whether this version of TorrentLocker (Crypt0l0ker) use other tactics for distribution. However, the ransomware infection may also spread via malicious redirect links in compromised websites as well as on social media sites. Another possible way of distribution is through file sharing services.

Is It Possible to Restore .Enc Files?

The previous three versions of TorrentLocker (Crypt0l0ker) have been cracked and the security experts from Kaspersky Lab. Their RannohDecryptor software successfully exploits a flaw in the code and restores the encrypted files. Unfortunately, the current version, number four in the series is developed in a way that cannot be cracked by the current version of RannohDecryptor. Anyway, the security engineers are working on the case and eventually a working decrypter will be released soon.
Probably the ransomware tries to delete the shadow volume copies but sometimes its operations may crash. So there is a chance to recover some .enc files with the help of Shadow Explorer. Data recovery software could also be efficient way to restore some of the data.

New Version Of The TorrentLocker / Crypt0l0ker Ransomware Released

Security experts have identified a new strain of the ransomware virus which use random 6 lower alphabetic characters as the file extension. It uses the “HOW_TO_RESTORE_FILES.txt/html” file to contain the ransomware note.

Removal of TorrentLocker (Crypt0l0ker)

TorrentLocker (Crypt0l0ker) is really nasty threat, and it exposes your computer and your data to a huge risk. It is doubtless that you should instantly remove it from the computer. We will help you with our step-by-step manual removal. Follow it and get rid of TorrentLocker (Crypt0l0ker). Have in mind that sometimes it may be rather tough to tackle with ransomware infection and some files and objects may be hidden extremely well in the system. Thus the ransomware will continue to exist on your system. Thus once you complete the manual removal we recommend you to use advanced anti-malware solutions and stay away from cyber threats.

Summary


Name
TorrentLocker (Crypt0l0ker) Ransomware

File Extensions
.enc or a random extension (for the newer strain)

Ransom
Varies

Easy Solution
You can skip all steps and remove TorrentLocker (Crypt0l0ker) ransomware with the help of an anti-malware tool.

Manual Solution
TorrentLocker (Crypt0l0ker) ransomware can be removed manually, though it can be very hard for most home users. See the detailed tutorial below.

Distribution
TorrentLocker uses targeted email spam campaign against its victims.

TorrentLocker (Crypt0l0ker) Ransomware Removal

STEP I: Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently.

    1) Hit WIN Key + R

    2) A Run window will appear. In it, write “msconfig” and then press Enter
    3) A Configuration box shall appear. In it Choose the tab named “Boot
    4) Mark “Safe Boot” option and then go to “Network” under it to tick it too
    5) Apply -> OK

Or check our video guide – “How to start PC in Safe Mode with Networking

STEP II: Show Hidden Files

    1) Open My Computer/This PC
    2) Windows 7

      – Click on “Organize” button
      – Select “Folder and search options
      – Select the “View” tab
      – Go under “Hidden files and folders” and mark “Show hidden files and folders” option

    3) Windows 8/ 10

      – Open “View” tab
      – Mark “Hidden items” option

    4) Click “Apply” and then “OK” button

STEP III: Enter Windows Task Manager and Stop Malicious Processes

    1) Hit the following key combination: CTRL+SHIFT+ESC
    2) Get over to “Processes
    3) When you find suspicious process right click on it and select “Open File Location
    4) Go back to Task Manager and end the malicious process. Right click on it again and choose “End Process
    5) Next you should go folder where the malicious file is located and delete it

STEP IV: Remove Completely TorrentLocker (Crypt0l0ker) Ransomware Using SpyHunter Anti-Malware Tool

Manual removal of TorrentLocker (Crypt0l0ker) requires being familiar with system files and registries. Removal of any important data can lead to permanent system damage. Prevent this troublesome effect – delete TorrentLocker (Crypt0l0ker) ransomware with SpyHunter malware removal tool.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

STEP V: Repair Windows Registry

    1) Again type simultaneously the Windows Button + R key combination
    2) In the box, write “regedit”(without the inverted commas) and hit Enter
    3) Type the CTRL+F and then write the malicious name in the search type field to locate the malicious executable
    4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys

Further help for Windows Registry repair

STEP VI: Recover Encrypted Files

    1) Use present backups
    2) Restore your personal files using File History

      – Hit WIN Key
      – Type “restore your files” in the search box
      – Select “Restore your files with File History
      – Choose a folder or type the name of the file in the search bar

      – Hit the “Restore” button

    3) Using System Restore Point

      – Hit WIN Key
      – Select “Open System Restore” and follow the steps

STEP VII: Preventive Security Measures

    1) Enable and properly configure your Firewall.
    2) Install and maintain reliable anti-malware software.
    3) Secure your web browser.
    4) Check regularly for available software updates and apply them.
    5) Disable macros in Office documents.
    6) Use strong passwords.
    7) Don’t open attachments or click on links unless you’re certain they’re safe.
    8) Backup regularly your data.

Author : Joseph Steinberg

Joseph Steinberg is the editor-in-chief, lead content creator, and local father figure of Best Security Search. He enjoys hiking and rock climbing and hates the 12345678 and qwerty passwords.


Related Posts